DORA- Digital Operational Resilience Act

Aug 02, 2022
Banking | 5 min READ
Against the backdrop of surging cyber-attacks, the EU has pulled out all the stops to ensure enhanced IT security for establishments such as insurance companies, banks, and investment businesses. To this end, last year, the Council Presidency and the European Parliament provisionally agreed upon the Digital Operational Resilience Act (DORA). This legislation -- ensuring the EU economies' resilience through severe operational disruption – is expected to gain sanction as law in the summer of 2022. Once passed, this new Act will significantly revamp and bolster the existing cyber law while also being in sync with the latest US laws.
Vikram Chandna
Vikram Chandna

Sr. VP & Global Head



Mark Weston
Mark Weston

Investor & Founder

DORA Act Explained
Proposed by the EU, DORA aims to improve the financial services sector’s cybersecurity and operational resiliency while further fortifying existing legislation, including the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
Originally, DORA was part of a set of initiatives launched by the European Commission to digitize the banking sector by advancing innovation and competitiveness within the European Financial Sector.
The trio of European Supervisory Authorities (ESAs) – European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA) – were responsible for establishing technical standards to be followed by the financial services institutions.
The Act also brought Banking, insurance, and asset management companies under its purview to ensure complete compliance.
Specific Objectives of DORA
DORA is the EU’s shield to protect the financial sector across member-states against Information and Communications Technology (ICT) incidents. It works by imposing rigorous and prescriptive rules that apply to crucial ICT third-parties offering financial institutions services such as cloud platforms, data analytics, and audit services.
In a nutshell, DORA's mission is to inject into the financial sector the capability to endure, react to, and emerge from the negative impact of ICT incidents without affecting critical tasks or inconveniencing consumers. DORA's success depends on strict adherence to robust measures and protocols on systems, tools, and third parties. Equally, it requires appropriate operational continuity plans, continuously verifying efficacy.
DORA's overarching objective – to increase operational resilience of digital systems – includes new requirements, and streamlining and updating existing regulations. The goals of note include:
  • Strengthening the financial sector's resilience to ICT-related incidents through the launch of targeted and prescriptive necessities that are uniform across all EU member-states. Indeed, the UK regulators are already issuing their versions of this regulation.
  • Bringing ICT third-parties providing services to financial institutions within the new regulations.
  • Ensuring organizations can withstand, respond to and overcome the impact of ICT incidents, guaranteeing the delivery of critical functions and mitigating disruption for purchasers and the system at large.
  • Providing realizable solutions by establishing robust measures and controls on systems, tools, and third parties, executing operational continuity plans, and testing their effectiveness on a never-ending basis.
To achieve its objectives, DORA uses precise criteria, templates, and directions that inform and educate enterprises on ways to manage ICT and cyber risks. It also underscores the importance of EU regulators to remain active on the topic, with a substantial focus on standardized formats to fulfill conditions for reporting, communication, and assessments. At its core lies one consistent superordinate approach across all the relevant sectors.
By straddling the core aspects and domains of ICT and cyber security, DORA provides a comprehensive digital resiliency framework for the relevant entities. An outline of the critical elements, which establishes a group of necessities for the ICT risk management framework, is given below:
  • Routinely track ICT risks across sources to ensure remediation through appropriate protection and hindrance measures.
  • Establish and maintain robust ICT systems and technologies to reduce risk.
  • Deploy dedicated and comprehensive business continuity policies and disaster and recovery plans to ensure prompt recovery following an ICT-related incident.
  • Establish mechanisms to document, learn and evolve with each external event.
  • Establish mechanisms and processes geared toward prompt detection of abnormal activities.
Compliance in The Age of DORA
Criticality levels for services offered to financial institutions are well-defined under the Digital Operational Resilience Act. It also governs corporations providing direct services to financial institutions, which means that such organizations fall under the supervision of the financial regulator.
DORA also applies to organizations whose services are below the prescribed levels and do not meet the prerequisites. In such instances, despite direct monitoring not being necessary, the organizational clients must demand and meet specific contractual terms to comply with DORA's standards. The explicit demands that need to be made by financial institutions, and the particular security measures the service providers need to implement, are outlined in the Act. These expectations and demands are likely to be distributed throughout the entire supply chain to increase the resilience of the financial industry.
How Does Birlasoft Aim to Achieve DORA Compliant Goals?
Birlasoft, the platform, is specifically designed to implement and fulfill each of DORA’s unique specifications while ensuring total compliance with other cyber legislations. This platform accommodates DORA for EBA, ESMA, and EIOPA and brings insurance companies, banks, and asset management firms in sync with mandatory DORA regulations.
Our robust AI-driven cybersecurity reporting function gathers reliable information, uses machine learning to find the proper solutions, and compiles reports with comprehensive compliance. It also evaluates data using machine learning for the best possible responses using cutting-edge solutions. The system continuously assesses and monitors compliance with DORA by always obtaining the most recent data on an event-driven basis.
The platform also allows for monitoring, testing, and certification of the effectiveness of controls by the second and third layers of defense. Sophisticated systems eliminate manual measuring and testing, streamlining all tasks. Our solution gathers data from reliable sources, monitors data flow, and ensures cyber-security by providing documentation and attestation. It also maps the organization’s legal entity controls to each clause of DORA.
What do I need to do now?
With an end-2023 deadline looming for DORA compliance, financial institutions have no time to lose. They must choose and adopt solutions in line with the law and best suited based on the company’s size, business profile, and technological standard. The persistent demand for mature ICT and security risk management processes within the financial sector will come to fruition with DORA, and the new, defined regulations it brings with it.
There have been regulations such as EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements. These regulations are under the heading Guidance on Technology Arrangements. Therefore, ICT Security Risk Management and Outsourcing Arrangements would become a mandate.
The time to be DORA-ready is now. Partner with expert DORA solutions providers such as Birlasoft to implement DORA-compliant products and services. With DORA-compliant products, you will have sustainable solutions capable of dealing with complicated requirements such as threat intelligence and supplier risk management.
Was this article helpful?