The Digital Operational Resilience Act (DORA) started on January 16, 2023. After a two-year adjustment period, financial organizations must comply with its requirements by January 17, 2025. DORA is designed to help these institutions withstand serious digital disruptions.
This regulation addresses various aspects of cyber resilience, including auditability and the responsibilities shared between financial institutions and their third-party software and IT service providers. While it primarily affects companies operating within the European Union (EU), other regions are also enhancing their cyber resilience. Australia’s Prudential Regulation Authority, the Bank of England, and the U.S. Securities and Exchange Commission (SEC) are also focusing on this issue.
One major area of concern is the resilience of the IT supply chain. Flaws in third-party products have increasingly drawn attention. A notable incident involved a CrowdStrike vulnerability that disrupted Windows systems globally; banks were among the casualties, with many customers unable to access online banking, ATMs, or card payment systems.
DORA aims to reduce disruptions to banking operations from IT problems, but its success directly depends on how mature organizations are in their cyber security practices. A SecurityScorecard evaluation examined the cyber security performance of Europe’s top 100 companies from August 2023 to August 2024, considering factors like network security, malware exposure, endpoint security, and application security.
According to the research, a staggering 98% of these companies faced breaches involving third-party suppliers during the year-long study. Under DORA, financial institutions must evaluate and classify the criticality of their third-party service providers based on the business impact and the risks they may pose. Article 28 of DORA emphasizes that managing ICT risk from third parties must be part of the organization’s overall ICT risk management strategy. Financial entities that rely on third-party services are held accountable for the overall cyber security of their operations and must conduct thorough risk assessments of their suppliers.
Ryan Sherstobitoff from SecurityScorecard highlights the danger of supply chain vulnerabilities. He warns that adversaries exploit these weak links to breach networks, emphasizing the need for firms to prioritize third-party risk management under evolving regulations like DORA. Recent breaches, including high-profile incidents with SolarWinds, Log4j, and MOVEit, demonstrate that 75% of third-party breaches target the software and tech supply chain.
Romain Deslorieux from Thales underscores the importance of information security management as a legal requirement due to DORA. Companies need to simplify and automate their cyber security processes to ensure comprehensive protection for their applications, data, and identities.
Martin Thompson, an analyst, suggests that organizations should initiate a discovery process to assess the risks of their IT products and services. Shane O’Neill from Grant Thornton advocates for investing in platforms that centralize ICT asset inventories, giving firms clearer insights into potential supplier risks. He highlights the benefits of automation in streamlining the review process required by DORA, reducing human error, and ensuring compliance.
Despite many organizations having good security practices, there’s a continued need to address third-party risks and the complexities of their IT ecosystems. Alain Traill from Latham & Watkins notes that many firms still need to catch up on compliance and suggests that they conduct gap analyses to pinpoint deficiencies in their resilience measures. This includes reviewing governance and policies, especially focusing on incident response and resilience testing, alongside an inventory and remediation of contracts.
DORA expects organizations to assess their IT supply chain’s resilience, so third parties must understand their own responsibilities under this regulation. Traill indicates that IT providers should update their contract terms and policies, especially if their customers include financial entities within the purview of DORA.
Forrester’s van der Hout advises IT leaders in financial firms to carefully evaluate the compliance status of their IT vendors. It can be challenging to extricate non-compliant vendors once integrated into existing systems. Beyond securing third-party IT services, Deslorieux points out that DORA mandates organizations to clearly define policies for encrypting sensitive data at all stages.
Experts agree that implementing DORA will require substantial work, ultimately impacting IT budgets significantly. Forrester estimates that maintaining compliance could increase cyber security costs by about 10%. Compliance progress will depend on the existing maturity of cyber security practices, but many organizations likely have the groundwork laid for meeting DORA’s requirements.