What is DORA and why is it critical for organizations to comply with it?

The Digital Operational Resilience Act (DORA) is a security wake-up call specifically for financial institutions, including banks, investment firms, organizations that deal with cryptocurrencies, and third parties that provide information and communication technology (ICT) services to financial entities.

It was introduced by the European Union (EU) to manage and mitigate ICT-related risks, such as supply chain vulnerabilities, data breaches, and cybersecurity threats. DORA focuses on the three Rs: resilience, response, and recovery against cybersecurity incidents. DORA is enforceable from Jan. 17, 2025, and firms that fail to comply must bear fines (2% of total worldwide annual revenue or up to EUR 1 million).

With that being said, one might wonder why a new regulation is being mandated, given that there are already internal regulations for financial institutions. The answer to that is consistency. DORA aims to set universal regulations that apply to all financial institutions in the EU, removing any discrepancies in the rules followed by individual institutions.

DORA isn't just another regulation—it's streamlined to secure your firm from growing cybersecurity attacks by offering long-term resilience.

The 5 pillars of DORA

DORA's pillars are a shield against cybersecurity risks, aiding in proactive risk management. Here are the five pillars:

□ ICT risk management: DORA mandates financial organizations to keep track of trends in security risks and strategize in order to mitigate those risks. To safeguard the business, financial organizations must protect their IT systems (servers, databases, cloud storage, etc.) by implementing robust security measures, such as IAM, SIEM, and patch management.

□ Incident reporting: Entities are instructed to establish a modus operandi for detecting, logging, and reporting ICT-related incidents. They will also need to produce three reports: an initial report to notify the proper parties about the incident, an intermediate report to provide updates on mitigation efforts, and a final report that details the causes and corrective actions.

□ Digital operational resilience testing: This is to ensure financial entities can withstand and recover from cybersecurity attacks. By conducting more ad-hoc testing and threat-led penetration testing, an organization can strategically assess their strengths and identify vulnerabilities against potential cyberthreats.

□ Third-party risk management: DORA extends its regulatory oversight to ICT providers that work with financial entities to ensure outsourcing does not compromise security.

□ Information sharing: Cybersecurity collaboration is highly encouraged, as this approach allows organizations to discuss the cyberthreats faced by each other. This fosters a resilient environment and helps strengthen defences against cyberthreats.

IT horrors: How Travelex, a currency exchange organization, lost millions

In 2019 and early 2020, Travelex, a well-known foreign exchange company, faced its worst nightmare: a ransomware attack that crippled its systems. As a result, the firm had to take down all of its websites across 30 countries.

The hackers held this company ransom by exploiting known unpatched vulnerabilities, locking the company out of its own system. This ultimately resulted in a loss of GBP 4.6 million and forced the organization to use pen and paper for administration.

This incident highlights the need for DORA compliance. Let's analyze how DORA could have changed history.

  1. Risk management: DORA mandates a comprehensive risk management strategy, which would have led Travelex to patch the high-risk vulnerability that led to the attack in the first place.

  2. Digital operational resilience testing: DORA enforces consistent ad-hoc and threat-led penetration testing, which likely would have exposed the vulnerabilities in Travelex's infrastructure. The company then could have addressed the weakness, reducing the likelihood of the attack.

  3. Third-party ICT providers: The unpatched vulnerability was abused in a third-party software known as Pulse Secure VPN. DORA's stringent requirements for overseeing and establishing security protocols for third-party ICT providers would have guaranteed prompt patching of vulnerabilities.

The Travelex ransomware attack is a cautionary tale that reminds businesses of the necessity to prioritize digital operational resilience. By aligning with DORA guidelines, financial institutions can safeguard themselves from cyberthreats, financial losses, and operational disruptions.

Now that you understand the importance of DORA, it's time to get your business on the right track. Beyond protecting your organization from malicious actors and cyberthreats, DORA helps build your reputation amongst your customers. Start your journey towards compliance today!

For seamless compliance, explore how Log360’s DORA compliance extension can help you monitor, audit, and stay aligned with regulatory requirements effortlessly. In the meantime, check out other regulatory mandates supported by Log360 to gain insight about various compliance standards.