DORA Decoded: Understanding Cybersecurity for the Financial Services Sector

Financial services entities have become used to complying with intense cybersecurity requirements, but the bar will be raised on 17 January 2025 when the EU Digital Operational Resilience Act (DORA) takes effect. Introducing management liability, cybersecurity risk management controls, and mandatory contracting elements applicable to information and communication technology (ICT) service providers, DORA will have a lot in its backpack to unpack. 

DORA, which will have direct effect in all EU member states for in-scope financial services firms (Firms) casts a wide net capturing not only banks, investment firms, and credit and payment institutions, but also trading venues and repositories, crypto service providers and issuers, credit rating agencies, and insurers.

A large part of DORA’s ‘digital operational resilience’ focuses on the ability of Firms to withstand, respond to, and recover from all types of ICT disruptions and cyber threats – making cybersecurity a key piece of the puzzle. Where Firms find themselves under the rule of multiple cybersecurity regimes, such as NIS2 as well as the Critical Entities Resilience Directive (CER), DORA takes precedence where there is any conflict (or in the case of CER, where there is certain duplication). DORA also creates a mechanism for regulatory authorities to impose obligations directly on some especially important ICT service providers whose services are systemically important to the functioning of the financial services market. We will uncover the myths and truths surrounding DORA and its potential impact on ICT service providers (which includes cloud computing, data analytics, and software providers and data centres) in an upcoming separate alert. For a discussion of DORA and its interplay with other financial sector regimes, see our previous alert.

What Are the Key Cybersecurity Requirements of DORA?

Before we dive into the details of DORA’s key requirements, in-scope organisations should note that their obligations must be viewed through a lens of proportionality. While DORA provides for more detailed cybersecurity requirements than other EU frameworks such as NIS2 or the Cyber Resilience Act, DORA’s approach is still very much risk-based. This means that DORA does not prescribe exact one-size-fits-all requirements but provides some flexibility in its implementation by accounting for a Firm’s size and overall risk profile, as well as the nature, scale, and complexity of its services, activities, and operations. For example, Firm management should determine its risk tolerance level for ICT risk when developing its digital operational resilience strategy.

1. ICT Risk Management and Governance: To efficiently manage ICT risks, DORA requires Firms to:

(i) implement an internal ICT governance and control framework;

(ii) use and maintain updated ICT systems; and

(iii) implement ICT security policies such as information security, business continuity, and backup policies.

While many Firms may already meet or exceed these requirements, DORA further mandates that these frameworks must be defined, approved, and overseen by Firm management. Additionally, Firms must appropriately segregate their risk management, internal audit, and control functions to ensure proper independence of functions, and must document and review their framework at least annually or following a significant ICT-related incident.

2. Management Liability: Under DORA, senior management (rather than, for instance, the IT department) will bear final responsibility for managing ICT risks. Members of management are expected proactively to maintain their knowledge and skills relating to ICT risk (including by attending regular targeted training) in a proportionate way to the ICT risk being managed. These obligations come with real bite, because competent authorities can impose administrative penalties, including fines and remedial measures, directly on members of the management team.

3. ICT-Related Incident Response and Reporting: Under DORA, Firms must establish incident management processes promptly to detect anomalous ICT activities and classify these threats according to mandatory criteria prescribed under DORA. Any incidents classified as “major ICT” incidents (in consideration of the number of affected clients/transactions, duration, geographical spread, data losses, criticality of services, and economic impact) must be reported to the competent authority. In October 2024, the European Commission adopted a delegated regulation setting out the time limits and content requirements for these notification obligations.

While these time frames may look similar to notification requirements under other cyber regimes, a notable distinction is that DORA uses each previous report as the reference point for the next notification, whereas other regimes (such as NIS2 and the Cyber Resilience Act) tend to use initial incident awareness for the interim report. Firms should keep this in mind when adjusting their existing breach response plans to accommodate DORA.

4. Digital Operational Resilience Testing: While many Firms may have already undertaken digital operational resilience testing as a best practice, DORA makes this mandatory by imposing requirements for an operational resilience testing programme (DRTP). The DRTP should follow a risk-based approach and regularly assess internal ICT systems to identify gaps in operational resilience, and the assessments should be conducted by independent parties (whether internal or external) to ensure unbiased evaluation. Since outcomes from the DRTP must be implemented to continuously run the programme and ICT systems, key stakeholders (such as senior management) should be routinely notified of relevant information to inform their decision making.

5. Third-Party Risk Management: Another key DORA obligation requires Firms to adopt and review a strategy on ICT third-party risk and implement robust third-party risk management practices when selecting and managing ICT service providers. Firms must evaluate providers based on their security measures and compliance with industry standards, and contracts with ICT service providers must include essential provisions (such as reporting obligations and certain termination rights). These contracts with ICT service providers must then be documented in a register, setting out the relevant services provided, contractual terms, and compliance statuses, and Firms must actively maintain these registers at an entity level, as well as at sub-consolidated and consolidated levels. Furthermore, certain ‘critical’ ICT third-party service providers (who will be designated by European Supervisory Authorities (ESAs)) will find themselves directly subject to certain requirements under DORA (which we will discuss in a future alert). The ESAs will have additional oversight responsibilities under DORA, and in October 2024, the European Commission adopted a delegated regulation harmonising the conditions required for these responsibilities to come into effect.

6. Information-Sharing Arrangements: Despite not being a mandatory requirement, DORA encourages Firms to exchange cyber threat information, tactics, and techniques to enhance awareness of ICT risks and strengthen overall digital operational resilience. However, we are not yet able to predict how many Firms will take the opportunity under DORA to discuss their cyber threats (and potentially also cyber vulnerabilities).   

What’s Next?

As a first step, Firms may wish to conduct a gap analysis of their existing operational resilience, as well as identify key internal and external stakeholders. Firms will find that they can leverage many of their existing practices, policies, and procedures to ensure compliance with DORA. For example, incident handling procedures can be updated to reflect the notification requirements under DORA, consideration of mandatory contractual flow-downs can be incorporated into existing reviews of suppliers’ (or for ICT service providers’ or customers’) contracts and any vendors’ due diligence questionnaires, and current security and resilience training can be bolstered. This is especially true in the context of training given to Firm management, who have particular liability under DORA.

Safwan Akbar, London Trainee Solicitor, contributed to the drafting of this alert.