The DORA regulation (Digital Operational Resilience Act) is a new EU regulation concerning the financial sector that harmonizes risk assessment and management requirements in the EU, creates a regulatory framework for managing digital risks in the financial sector, and strengthens the level of cybersecurity in the financial sector. In Finland, the regulation applies to all organizations under the supervision of the Financial Supervisory Authority, except for occupational pension companies. The regulation entered into force in January 2023, and its application begins two years later, in January 2025.
The background to the DORA regulation is concern about the threats and vulnerabilities caused by the rapid development of technology for the financial sector, which is why the DORA regulation also covers technology companies serving the sector. For many technology companies, this means new obligations and requirements both in terms of legislation and their own customers’ requirements. The DORA regulation defines ICT service providers on a broad scale, taking into account rapidly evolving technologies.
The DORA regulation focuses on covering the requirements of the following areas:
- Articles 5-16: ICT risk management
- Articles 17-23: Management, classification, and reporting of ICT incidents
- Articles 24-27: Digital operational resilience testing
- Articles 28-44: Management of ICT third-party risks
- Article 45: Information sharing arrangements
What Does the DORA Regulation Mean for Financial Sector Operators and Technology Companies?
“We operate in the financial sector, does the DORA regulation apply to us?”
When an organization operates in the financial sector, there are essentially two different scenarios in which the DORA regulation applies to the organization.
The first option is that the organization is under the supervision of the Financial Supervisory Authority. In this case, being subject to the DORA regulation is unambiguous, excluding the previously mentioned occupational pension companies.
The second option is that the organization’s customer has designated the service provider as critical, in which case the service provider’s operations also become subject to DORA regulation. An example of this is an ICT supplier for investment services. In other words, the customer organization itself is subject to DORA requirements, and thus the requirements flow down the supply chain as in the NIS2 regulation. In these cases, the customer must require DORA-related requirements, such as incident management and reporting, risk management, and business continuity planning, in contracts made with the supplier, at least for critical services.
It is good to remember, however, that there are exceptions in the regulation for both sectors and small organizations. The DORA regulation also follows the principle of proportionality, whereby requirements are applied in proportion to the organization and the size of its operations as well as its risk profile.
Exceptions can be found in the EU’s DORA Article 2: Scope list.
“We provide cloud services or software development to banks, does the DORA regulation apply to us?”
If the cloud service or software development provided is related to DORA or could cause significant disruptions to the bank’s operations, the regulation may apply to the service provider. An example of such a situation could be the maintenance or application development of a bank’s loan system.
“We operate in accordance with the ISO 27001 standard, does this cover DORA’s requirements?”
The DORA regulation and the ISO 27001 framework have many of the same requirements, but the ISO 27001 framework does not automatically fulfill DORA’s requirements. The ISO 27001 framework supports the DORA regulation, but the ISO 27001 standard does not include, for example, the following DORA regulation requirements:
- Technological operational reliability in financial sector operators’ ICT systems, protocols, and tools (Article 7)
- Management of information and communication technology risks (Article 15)
- Comprehensive testing program for digital operational resilience (Article 24)
- Threat-led penetration testing (Article 26)
Many of the differences between the ISO 27001 framework and the DORA regulation relate to testing and the scope of testing, which are much more in-depth in DORA than in ISO 27001. Because DORA is mandatory legislation, ISO 27001 certification is not sufficient to meet all of DORA’s requirements. It is also good to note that the ISO 27001 standard is designed to be applicable across multiple industries, while DORA is specifically designed to address financial sector risks.
The Goal is to Improve Financial Sector Information Security
The DORA regulation comprehensively covers the financial sector, and now the requirements are also expanding to many technology companies serving the sector. The goal is to improve and ensure the operations of financial sector operators in disruption situations and reduce the threats of cyberattacks, as the financial sector is increasingly dependent on various technologies. The regulation is mandatory for companies operating in the EU area, and sanctions can be imposed for violating it.
Do you need help implementing DORA regulation requirements?