Jul 12 2023

What is DORA & What Do Banks Need to Know?

Compliance with the EU’s Digital Operational Resilience Act is mandatory. Here’s what this means for banks.

On Jan. 16, the clock began ticking on the Digital Operational Resilience Act, better known as DORA, a new security regulation that financial institutions must comply with by January 2025.

Although adopted by the European Union, DORA will affect banks in the United States and elsewhere. According to the Council of the European Union,“DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them.”

DORA establishes a set of regulatory standards to help reduce cybersecurity risk. Here’s what the new legislation means for banks.

Click the banner below to find out how business are modernizing their applications.

What Is DORA?

DORA began as a draft in September 2020 as part of the EU’s digital finance package. The legislation was reviewed and debated over the next two years and was adopted by the European Parliament in November 2022. Technical standards and implementation guidelines will be developed through 2024, leading up to the Jan. 17, 2025, compliance deadline.

DORA is divided into five pillars:

  1. Risk Management. Banks must set up and maintain tools that minimize risk. They must also continuously monitor for risks and deploy solutions that can promptly detect anomalous activities.
  2. Third-Party Risk Management. Financial firms must work with the third-party providers with which they do business to create a consistent monitoring approach. They must also ensure that contracts with third parties include all relevant information about how, when and where data is being processed.
  3. Incident Reporting. Banks must establish management processes to log any IT-related security incident and then classify these incidents according to standards developed by the European supervisory authorities.
  4. Information Sharing. The regulations encourage financial firms to share relevant data to help collectively enhance digital resilience, raise risk awareness and minimize the spread of threats.
  5. Resilience Testing. Finally, components of risk management frameworks should be tested regularly. Any deficiencies or gaps must be identified and then eliminated or mitigated. Banks must also carry out red team and purple team assessments to pinpoint areas of high risk.

What Does DORA Mean for Banks? 

For banks, the DORA compliance process is a good time to review current security policies and procedures. The sooner this review starts, the better — 2025 may seem like a long way off, but the time it takes to identify issues, deploy solutions and evaluate their impact may be substantial.

DORA also has impacts that extend beyond banks. Specifically, the regulations call out third parties that provide information communication technologies services to banks, such as cloud platforms, data analytics services, and solutions from other IT partners and providers. This means that banks must not only ensure their own compliance but also take steps to verify the DORA compliance of any provider that handles digital financial data.

READ MORE: How to balance access and security in financial services.

Where Can Banks Get Help with DORA Compliance?

Security services from a trusted partner can help banks prepare for DORA regulations, and the best place to start would be a security maturity assessment. The results can serve as a starting point not for DORA compliance per se, but for ensuring the tools and systems are in place to defend against cyberthreats and respond adequately to incidents.

CDW helps clients build secure and flexible risk management programs around their critical data, a practice required by two DORA pillars.

Beyond our internal expertise is our network of partnerships with leading-edge security companies. BlueVoyant, for instance, is a partner whose services make it possible for companies to identify common risks such as misconfigurations, malware, data leakage and open ports. Businesses can then validate, measure and remediate these risks.

DORA adoption is underway, and by January 2025, banks must be compliant with all five pillars. The sooner banks get rolling on DORA compliance, the better off they’ll be.

This article is part of BizTech's EquITy blog series. Please join the discussion on X (formerly Twitter) by using the #FinanceTech hashtag.


VioletaStoimenova/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT