What Is DORA?
DORA began as a draft in September 2020 as part of the EU’s digital finance package. The legislation was reviewed and debated over the next two years and was adopted by the European Parliament in November 2022. Technical standards and implementation guidelines will be developed through 2024, leading up to the Jan. 17, 2025, compliance deadline.
DORA is divided into five pillars:
- Risk Management. Banks must set up and maintain tools that minimize risk. They must also continuously monitor for risks and deploy solutions that can promptly detect anomalous activities.
- Third-Party Risk Management. Financial firms must work with the third-party providers with which they do business to create a consistent monitoring approach. They must also ensure that contracts with third parties include all relevant information about how, when and where data is being processed.
- Incident Reporting. Banks must establish management processes to log any IT-related security incident and then classify these incidents according to standards developed by the European supervisory authorities.
- Information Sharing. The regulations encourage financial firms to share relevant data to help collectively enhance digital resilience, raise risk awareness and minimize the spread of threats.
- Resilience Testing. Finally, components of risk management frameworks should be tested regularly. Any deficiencies or gaps must be identified and then eliminated or mitigated. Banks must also carry out red team and purple team assessments to pinpoint areas of high risk.
What Does DORA Mean for Banks?
For banks, the DORA compliance process is a good time to review current security policies and procedures. The sooner this review starts, the better — 2025 may seem like a long way off, but the time it takes to identify issues, deploy solutions and evaluate their impact may be substantial.
DORA also has impacts that extend beyond banks. Specifically, the regulations call out third parties that provide information communication technologies services to banks, such as cloud platforms, data analytics services, and solutions from other IT partners and providers. This means that banks must not only ensure their own compliance but also take steps to verify the DORA compliance of any provider that handles digital financial data.
Where Can Banks Get Help with DORA Compliance?
Security services from a trusted partner can help banks prepare for DORA regulations, and the best place to start would be a security maturity assessment. The results can serve as a starting point not for DORA compliance per se, but for ensuring the tools and systems are in place to defend against cyberthreats and respond adequately to incidents.
CDW helps clients build secure and flexible risk management programs around their critical data, a practice required by two DORA pillars.
Beyond our internal expertise is our network of partnerships with leading-edge security companies. BlueVoyant, for instance, is a partner whose services make it possible for companies to identify common risks such as misconfigurations, malware, data leakage and open ports. Businesses can then validate, measure and remediate these risks.
DORA adoption is underway, and by January 2025, banks must be compliant with all five pillars. The sooner banks get rolling on DORA compliance, the better off they’ll be.