Understanding the Digital Operational Resilience Act (DORA)

I live in Sweden, where 10% or fewer of purchases are made with cash. Few carry cash regularly, and it can often be difficult to find places that accept it. This means that if I lose my phone or internet connection, simple tasks like paying for my coffee are exceedingly difficult. And I am in no way unique in this aspect; at least half of Europeans prefer this type of transaction. Here, we even have our passports on our mobile phones! Our collective reliance on digital infrastructure in day-to-day life cannot be understated, and is only going to expand further.

With our growing digital footprint, the financial sector faces unprecedented challenges and opportunities. The increased reliance on digital technologies has brought about great advancements in financial services, but it has also exposed institutions to an ever growing number of cyber threats and operational risks. Recognizing the critical role digital infrastructure has on the everyday lives of EU Citizens, the European Union has introduced the Digital Operational Resilience Act (DORA). This regulatory initiative aims to ensure that financial entities can withstand, respond to, and recover from a wide array of operational disruptions, thereby safeguarding the stability and integrity of the financial system. In this blog post, we will examine the key aspects of DORA, including who is affected, the core requirements for organizations, and practical steps for achieving compliance by the deadline of 17 January 2025.

Who is Affected by DORA?

DORA applies to all financial institutions in the European Union, including in its scope = traditional financial organizations, non-traditional financial entities and supporting service and infrastructure providers.The affected organizations include:

1. Banks and Credit Institutions: Traditional and digital banks.
2. Investment Firms: Companies involved in trading, investment management, and advisory services.
3. Insurance and Reinsurance Firms: Entities providing various insurance products and services.
4. Payment Service Providers: Companies facilitating digital payments, including e-money institutions.
5. Crypto-Asset Service Providers: Firms dealing with cryptocurrencies and digital assets.
6. Market Infrastructures: Entities like stock exchanges and clearing houses.
7. Critical third-party information services: Including credit rating services and data analytics providers.
8. Third-party ICT Service Providers: Companies providing critical technology services to financial institutions, such as cloud computing and data analytics.

While the above is not an exhaustive list, it is notable that DORA also applies to some third party service providers which are critical to the operations of the entities in scope. While these organizations are not traditionally subject to financial regulations, it highlights the interconnected nature of modern financial infrastructure.

Key Requirements for Organizations

DORA sets out comprehensive requirements to ensure financial entities can withstand, respond to, and recover from operational disruptions, separated into five basic pillars. The key requirements include:

1. ICT Risk Management: Establishing robust internal processes to identify, assess, and manage risks associated with information and communication technology.
2. Incident Reporting: Implementing procedures for timely and efficient reporting of significant ICT-related incidents to competent authorities.
3. Digital Resilience Testing: Regular testing of the ICT systems to assess their resilience against potential threats and vulnerabilities.
4. Information Sharing: Encouraging the exchange of cyber threat information and intelligence among financial institutions to bolster collective defense mechanisms.
5. Third-party Risk Management: Ensuring that third-party service providers comply with DORA's standards, including contractual agreements that mandate adherence to these requirements.

Where Should Organizations Start?

For financial institutions embarking on their journey to comply with DORA, the following steps are crucial:

1. Conduct a Gap Analysis: Assess current ICT risk management practices against DORA's requirements to identify gaps and areas needing improvement.
2. Develop a Compliance Roadmap: Create a strategic plan outlining the necessary steps, timelines, and resources required to achieve compliance.
3. Enhance Incident Reporting Mechanisms: Implement or upgrade systems to ensure timely and accurate reporting of ICT-related incidents.
4. Strengthen Third-party Relationships: Work closely with your third-party ICT service providers to ensure they can help you to meet DORA's compliance standards.
5. Invest in Training and Awareness: Include Resiliency and what to do in the event of an emergency into your user training.
6. Engage in Continuous Testing: Regularly test ICT systems to identify vulnerabilities and ensure resilience against potential cyber threats and outages.

How can Zscaler Help?

Zscaler's Zero Trust Exchange can help organizations on the path to DORA compliance by providing a solid, defensible architecture based upon Zero Trust principles to defend your users and data against cyber threats. Enabling organizations to securely connect users, both internal and third party, to the applications they need, without overprovisioning. Additionally Zscaler provides a complete set of resilience capabilities, to ensure business continuity during network or cloud disruptions.

What's next?

As the January 2025 deadline approaches, financial institutions across the EU must prepare for the stringent requirements of DORA. Leveraging Zscaler's advanced solutions can help ensure compliance, enhance resilience, and protect against ICT-related risks. By adopting a proactive approach to digital operational resilience, financial entities can navigate the complexities of DORA and safeguard their operations in an increasingly digital world. Zscaler is committed to helping its customers through this process. Reach out to your local Zscaler representative and ask to meet with a member of the CISO team to understand how we can help.

Public link

Please use the above public link if you want to share this noodl on another website.