Cyber threats are more acute than ever. As the digital sector continues to evolve, defence protocols are changing with it. Once upon a time, cyber security meant safeguarding data. Today, governments and regulators have expanded their focus to maintaining the integrity of the entire financial ecosystem.
What is DORA?
The European Union’s Digital Operational Resilience Act (DORA) represents a key step towards ensuring financial entities and their ICT systems remain resilient against cyber threats. Enacted in November 2022, DORA establishes a standardised framework for digital operational resilience across the EU. It entered into force on 17 January 2025.
DORA was the EU’s response to attempts by various national regulators to provide a uniform solution. When these efforts only fragmented the financial sector’s approach to cyber security even further, the EU stepped in.
How does DORA work?
DORA aims to improve the financial industry’s operational resilience by ensuring business continuity even when an organisation’s ICT is disrupted, such as during a cyberattack.
The act introduces five key pillars to enhance digital resilience:
1. ICT risk management
Financial institutions must develop and implement risk management frameworks for all critical assets. These frameworks consist of business continuity strategies, recovery procedures, communications strategies, and security measures.
2. Third-party risk management
Managing third-party risk is one of DORA’s most challenging aspects. Cloud Service Providers (CSPs) classified as ‘critical’ must comply with regulatory standards. However, financial service entities must also implement third-party risk programmes to prevent operational disruptions from supply chain attacks.
3. ICT incident reporting
DORA consolidates multiple reporting requirements into a single channel to streamline incident reporting. In the event of a major incident, financial firms are required to file a root cause report within one month and must also implement early warning indicators to detect and report disruptions.
4. Operational resilience testing
Financial entities are required to undergo regular digital operational resilience testing conducted by independent third parties. These tests, which are designed to ensure the reliability of ICT defences, should form part of a structured programme formed of defined methodologies, tools, test frequency, and prioritisation strategies.
5. Information and intelligence sharing
DORA encourages financial entities to share cyber threat intelligence within trusted financial communities. This knowledge exchange aims to enhance awareness of new cyber threats, reliable security solutions, and operational resilience strategies.
Who is impacted by DORA?
DORA applies to a broad spectrum of financial entities and associated institutions, including the following:
Financial institutions
- Banks
- Payment institutions
- E-money institutions
- Investment firms
- Insurance and reinsurance companies
- Central securities depositories
- Trading venues
- UCITS management companies
- Alternative investment fund managers
- Credit rating agencies
Financial market infrastructures
- Central counterparties
- Trade repositories
- Operators of trading venues
Financial data and tech providers
- Crypto-asset service providers
- ICT third-party service providers (if designated as ‘critical’)
- CSPs supporting financial institutions
- Providers of core banking, payments, and trading technology
Other Regulated Entities
- Crowdfunding service providers
- Insurance intermediaries
- Pension funds
- Audit firms performing statutory audits of financial institutions
DORA’s regulatory framework ensures that all participants maintain robust cyber resilience, protecting the stability of the entire financial ecosystem.
How is DORA enforced?
DORA enforcement is overseen centrally by the European Supervisory Authorities (ESAs). These consist of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).
At EU member-state level, enforcement is delegated to each country’s designated ‘competent authorities’. These authorities have the power to compel financial institutions to take appropriate security precautions and address relevant vulnerabilities. They will also be able to impose administrative and even criminal penalties upon institutions that fail to comply.
How Redstor supports financial institutions in achieving DORA compliance
DORA compliance requires a multifaceted approach. Redstor’s data backup solutions help financial institutions mitigate cyber risks and enhance resilience. Here’s how:
- Air-gapped protection: Ensuring primary and backup storage systems are physically separated prevents cybercriminals from accessing backup copies.
- 3-2-1 backup strategy: This approach, widely regarded as industry-best practice, involves maintaining three copies of data, storing backups on two different media types, and keeping one backup offsite.
- Backup data malware Detection and Removal: Ransomware often remains dormant before activation, making malware-free recovery difficult. Redstor’s solutions detect and remove malware from backup data, ensuring a clean recovery environment.
- Rapid recovery flexibility: Minimising downtime is as crucial as preventing data loss. Redstor enables rapid data access and prioritises critical data recovery to ensure business continuity.
DORA is reshaping the financial sector’s approach to cybersecurity, making operational resilience a regulatory priority. By leveraging Redstor’s cyber resilience solutions, your business can stay one step ahead of compliance requirements.
Get in touch today to learn more.