DORA
DORA: Everything you should know about
the Digital Operational Resilience Act
Starting on 17 January, 2025, DORA (Digital Operational Resilience Act) comes into force. This European regulation requires financial institutions to strengthen their digital resilience and better manage cyber risks. But what exactly does DORA entail? And how does it differ from NIS2?
What is DORA?
DORA is a European regulation that elevates cybersecurity and digital operational resilience within the financial sector. The goal? To minimise IT risks and prevent cyber incidents that could jeopardise financial stability.
DORA comprises three layers:
- Level 1: The general directive with binding rules
- Level 2: Technical standards and implementation guidelines
- Level 3: Supervision measures and compliance checks
The first technical standards were approved by the European Commission in January 2024. The second phase, with guidelines for Threat-Led Penetration Testing (TLPT) and incident reporting, is to be submitted by 17 July 2024.
Who does DORA apply to?
DORA applies to an extensive group of financial institutions and their IT service providers, including:
✔ Banks and investment firms
✔ Insurers
✔ Payment institutions & electronic money institutions
✔ Pension funds
✔ Crowdfunding platforms
Furthermore, DORA also applies to IT providers that supply services to these financial bodies.
The 5 fundaments of DORA
DORA imposes strict requirements in five critical areas
- IT Risk Management
Organisations must establish a comprehensive risk management framework with policies, procedures and controls. - Incident Management & Reporting
An incident response plan is mandatory to quickly detect and resolve cyber threats. - Digital Resilience Testing
Regular cybersecurity tests, such as Threat-Led Penetration Testing (TLPT), are mandatory. - Risk Management for IT Suppliers
Companies must develop a vendor risk management strategy and actively monitor it. - Collaboration & information exchange
DORA stimulates intelligent collaboration between financial institutions and IT service providers in order to detect and mitigate cyber threats more quickly.
DORA versus NIS2: What’s the difference?
In addition to DORA, NIS2 will also come into effect, a wider EU regulation that focuses on cybersecurity within critical infrastructures.
- The rule for financial institutions: If a company falls under both regulations, DORA takes precedence with stricter requirements.
- NIS2 fines can reach up to 2% of the global turnover, and management members may be held personally liable for negligence.
What are the consequences of non-compliance?
- Financial sanctions from national regulators
- Reputational damage and loss of customer trust
- Possible legal prosecution in case of gross negligence
How do you prepare your organisation for DORA?
Compliance with DORA requires a strategic approach and specialised expertise. Tyneso is ISO 27001-certified and supports financial institutions in setting up a solid cybersecurity strategy.
- Do you want to be sure that your organisation is DORA compliant?
- Curious about how we can strengthen your cybersecurity?
𝗖𝗼𝗻𝘁𝗮𝗰t 𝗧𝘆𝗻𝗲𝘀𝗼 for a free consultation!
📞 +32 (0)3 123 45 67
📩 info@tyneso.com
Stay compliant and secure!
Would you like to know more about how you can make your organisation more secure, while also remaining compliant?
Related content
We are happy to share our expertise with you! Read more valuable tips for your business!
