For companies, the digital world is both a blessing and a curse: on the one hand, digital technologies open up new opportunities, while on the other, they face ever greater risks. Financial service providers in particular are already under great pressure due to the sensitive nature of their data – and now they have to prepare for a new dimension in IT security with the DORA regulation.
DORA stands for "Digital Operational Resilience Act" and is intended to be the European Union's response to the increasing risks posed by cyber attacks and digital disruptions. But what exactly does DORA require? And how can this challenge be overcome without jeopardizing day-to-day business? In this article, we'll show you what's important – and why it's worth taking the new requirements seriously.
What is the DORA regulation?
The DORA Regulation is an EU-wide regulation that addresses a key question: "How resilient is the digital infrastructure of companies and organizations?" Its aim is to strengthen digital operational resilience in companies in the financial services industry and related sectors. This means that these companies must be able to protect their digital systems against cyberattacks and technical disruptions and continue to operate smoothly in the event of a crisis.
The regulation comprehensively regulates how companies must build and document their digital resilience. The main contents include:
- Risk management: Affected companies must identify, assess and minimize risks in the digital sector, particularly in the area of information and communication technology (ICT), at an early stage.
- Reporting: Regular and structured reports on cyber incidents and threats to the relevant authorities are mandatory.
- Tests and simulations: Companies must carry out regular stress tests for their IT systems with regard to digital operational resilience.
- Security measures for third-party providers: Service providers and IT suppliers must also ensure that they meet the requirements of DORA.
- Control and monitoring: Supervisory authorities will be given more powers to check compliance with the regulation. In addition, the exchange of information and findings relating to cyber threats and vulnerabilities is to be intensified.
In this context, it is important to note that DORA was launched by the EU as a regulation and not, like NIS2, as a directive. This means that DORA must be implemented in its current form by all member states and cannot be interpreted individually. In this way, the EU wants to create clear standards quickly.
Who is affected by DORA?
The regulation is primarily aimed at companies in the financial sector and companies that provide services in this area. This means that banks and insurance companies are just as affected as smaller financial companies, payment service providers, crypto-asset providers and their third-party IT service providers. In total, over 3,600 companies in Germany must prepare for the new regulation.
DORA and NIS2 are particularly interrelated, as DORA-regulated financial service providers are largely exempt from the NIS2 guidelines. However, if a financial service provider is not subject to the requirements of the DORA regulation, it must comply with the NIS 2 guidelines (see note).
In the text of the regulation, this relationship is described as "Lex Specialis". This means that the special law (DORA) takes precedence over the general law (NIS2) and therefore has priority of application. The exact section reads as follows:
However, it is more complex for third-party providers in the field of information and communication technologies (ICT) that are (also) active in the financial sector. They may have to comply with both NIS2 and DORA and are therefore subject to multiple regulations.
Note: There is an exception for the insurance industry. If a company in this sector has fewer than 250 employees and an annual turnover of 50 million euros and / or a balance sheet total of 43 million euros, it remains unaffected by the DORA Regulation.
When is the new regulation applicable?
DORA came into force in 2023 and has been applicable as an EU regulation in all member states since then. Implementation of the measures described in DORA will be mandatory for the companies concerned from January 17, 2025. There is no transition period for the affected institutions.
What are the consequences of non-compliance?
The EU relies on strict controls for DORA and punishes violations severely, although exact penalty amounts are not yet known. Nevertheless, companies that do not comply with the regulation must expect severe sanctions. The severity of the requirement is intended to reflect the seriousness of the breach and its potential to destabilize the EU financial system. The penalties can go as far as restrictions on business activities or even the withdrawal of a license.
How is the DORA regulation to be implemented?
In order to meet the requirements of the DORA Regulation, affected companies must take a number of measures. Here is an overview of the most important steps:
- Analysis of the current IT infrastructure: As a first step, a complete overview of the existing IT systems and security measures should be established in order to record the current situation.
- Establish risk management: Developing and implementing a comprehensive risk management program is equally necessary to address all digital and operational risks.
- Always report cyber incidents: A reporting and monitoring system is needed to document cyber attacks and incidents in a structured manner and report them to the authorities.
- Schedule stress tests: Regular simulations and tests are used to check the resilience of IT systems.
- Security requirements for third-party providers: IT service providers and third-party vendors must comply with security standards, which must be regularly monitored and enforced.
- Training and awareness: Training for all employees is essential to raise awareness of cyber security.
- Regular review and adaptation: The digital threat landscape is constantly changing, so the security concept should also be regularly adapted.
Conclusion: DORA is both a challenge and an opportunity
At first glance, the DORA Regulation may seem like an additional hurdle, but it also offers a valuable opportunity: companies can use it to strengthen their own digital resilience and better arm themselves against cyber threats. Implementation is certainly a challenge – after all, the EU does not want to leave anything to chance here. However, those who take the requirements seriously and implement them in a structured manner are investing in the future of their company and minimizing the risk of disruption.
Secure collaboration platforms such as Stackfield support this approach by providing companies with a secure platform for collaboration and the management of IT security tasks. Here, all projects and processes can be organized in a central, structured and GDPR-compliant manner. This makes Stackfield not only a powerful tool for implementing the regulation, but also for building a robust digital infrastructure.
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.