DORA compliance checklist: A guide for financial entities and their technology partners

While it shares a name with a popular cartoon character, there’s nothing cute about this DORA. The Digital Operational Resilience Act (DORA) has financial entitles and their service providers scrambling to meet DORA requirements or face fines and penalties.

DORA is a cornerstone of the European Union's strategy to strengthen the financial sector against risks related to information and communications technology (ICT), although it has global implications that reach far beyond Europe. For financial entities, meeting requirements is critical, but the DORA regulation also introduces new obligations and oversight for the technology providers who furnish services to financial firms.

Failure to comply with DORA requirements can lead to fines both for organizations and individuals. Financial entities can face fines of up to 2% of their total annual worldwide revenue or 1% of their average daily revenue worldwide. Service providers can incur similar penalties.

As a result, DORA compliance is essential for both financial entities and their service providers, including managed service providers (MSPs) and software vendors. But meeting DORA requirements can be tricky, so organizations need to know how to avoid common pitfalls. This checklist provides broad guidance for how financial entities and service providers can keep up with DORA requirements with minimal stress and expense.

DORA makes it clear that financial entities, such as banks and insurance companies, are ultimately responsible for their own digital operational resilience.

To comply, financial entities need to make sure they can mark every box on this DORA checklist:

• Establish a robust ICT risk management framework: The regulation requires financial entities to have "comprehensive capabilities to enable a strong and effective ICT risk management.” This includes having a clear strategy for addressing ICT risks and setting a level for risk tolerance.

• Report major incidents: Financial entities must have specific mechanisms for handling and reporting "major ICT-related incidents.” Financial firms must inform their clients about any major events that affect their financial interests and detail the measures the financial organization is taking to mitigate them.

• Conduct regular testing: To uncover and address potential vulnerabilities, financial firms are required to have policies in place for regularly testing their ICT systems, controls, and processes. All but the smallest financial entities must regularly audit their ICT risk management framework.

• Manage third-party risk: Financial entities must apply a strategic approach to monitoring the risks posed by third-party service providers. This involves carefully assessing contractual arrangements to identify potential risks, especially those related to subcontracting.

• Cooperate and share information: Entities are encouraged to share cyberthreat information and intelligence with each other in order to enhance their collective ability to prevent and respond to threats.

Under DORA, ICT third-party service providers, including MSPs and software vendors, are subject to a new "oversight framework" if they are designated as "critical" to the financial sector, which most are. A key principle of this framework is the requirement for providers to cooperate fully with a "lead overseer" and other authorities.

The MSP and vendor DORA checklist involves four broad actions:

• Cooperation and auditing: Providers must fully cooperate during inspections and audits conducted by the financial entity, its competent authorities, and the Lead Overseer.

• Business continuity and security: MSPs and vendors are required to implement and test business contingency plans and have the necessary security measures, tools and policies to ensure the secure delivery of services.

• Support for transition: Contracts for critical services must include provisions for dedicated exit strategies and a mandatory adequate transition period from one service provider to another. This is intended to prevent disruptions if the financial entity chooses to switch providers.

• Threat-led penetration testing (TLPT): Critical service providers are required to participate in and fully cooperate with the TLPT carried out by the financial entity.

Even with a clear regulatory framework, both financial entities and their service providers face significant hurdles in meeting DORA requirements. These challenges stem from the regulation's broad scope, its prescriptive nature and the intricate web of dependencies in the modern financial ecosystem.

DORA requirements necessitate a fundamental shift in how financial institutions view and manage risk. It’s not an easy change to make.

Third-party oversight and contractual complexity: Perhaps the most critical challenge for financial entities is managing third-party risk. Many firms work with a multitude of vendors, making it difficult to track and ensure that every contract aligns with DORA's stringent requirements.

The regulation mandates specific contractual provisions, such as audit rights and exit strategies, which often require renegotiating existing agreements. Service providers, who may have their own standardized contracts, may resist these changes, leading to protracted and difficult negotiations.

Operational integration and legacy systems: DORA's requirements for a robust ICT risk management framework and resilience testing can be particularly difficult for financial entities operating with legacy systems. Upgrading these systems to meet the new, rigorous standards for security, incident reporting and data recovery can be a massive undertaking, requiring significant investment and a broad range of technical and organizational changes.

Defining "critical" and reporting incidents: Financial entities must identify their "critical or important functions" and the ICT services that support them. This process can be complex, especially for smaller or less-regulated entities that may not have a clear framework for this kind of assessment. Additionally, there is often uncertainty around what constitutes a "major ICT-related incident," leading to a lack of standardization and potential delays in reporting.

Resource constraints and costs: DORA compliance is not a one-and-done exercise; it requires continuous oversight and investment. Many financial institutions, particularly smaller ones, struggle with the costs and resource requirements of hiring specialized personnel, implementing new technologies and conducting regular, in-depth testing, such as TLPT.

DORA primarily regulates financial entities, but its effects cascade down to the third-party providers they rely on. Service providers face challenges of their own.

Regulatory uncertainty and scope: A key challenge for service providers is simply understanding if and how DORA applies to them. The definition of "ICT services" is broad, and it may not be immediately clear whether a provider's services fall within the regulation's scope. The possibility of being designated a "critical" ICT third-party service provider adds another layer of complexity and regulatory scrutiny.

Increased contractual demands: Service providers are facing increased pressure from their financial clients to amend contracts to include DORA-mandated clauses. This can disrupt their standard business practices and lead to legal and commercial challenges. Providers must also be prepared for enhanced due diligence and audits from their clients and, in some cases, a lead overseer.

Adapting to new oversight: For providers designated as "critical," DORA introduces a new, comprehensive oversight framework. This means MSPs and other providers must be prepared for inspections, audits and requests for information from regulators. Noncompliance can lead to severe financial penalties and, in the most extreme cases, the suspension of their services to financial entities.

Balancing standardization with customization: Service providers often rely on standardized services to achieve economies of scale. However, DORA's requirements sometimes necessitate a degree of customization to meet the specific needs of financial entities. This can be a delicate balancing act, as providers must adapt to new demands while managing the costs and complexities of offering bespoke solutions.

Achieving digital operational resilience is a core mandate of the DORA regulation, and technology solutions play a crucial role in enabling it. Acronis provides a suite of capabilities designed to help financial institutions and their service providers meet stringent requirements.

A key component of DORA compliance is the ability to quickly recover from disruptions and pass operational resilience tests, including TLPT. Acronis addresses those challenges with automated backup and rapid disaster recovery features that span physical, virtual and cloud infrastructures.

This functionality ensures that financial entities can swiftly restore critical data and maintain business continuity. With such capabilities in place, financial entities and their service providers can pass TLPT and other required tests.  

DORA emphasizes the need for strong cybersecurity provisions within contracts and throughout operations. Acronis helps organizations meet this challenge with a comprehensive, natively integrated cybersecurity platform. A single, unified dashboard enables centralized monitoring of risks, alerts and reporting.

With robust cybersecurity features powered by AI, financial entities and their service providers can quickly identify, stop or mitigate potential security issues. This unified approach also simplifies the process of creating audit documentation, addressing another critical DORA requirements.

DORA compliance also necessitates that financial entities and their service providers continuously monitor processes and establish clear contractual agreements that foster collaboration.

By offering a single platform for managing data protection, cybersecurity and endpoint management, Acronis promotes simplified cross-functional collaboration both internally withing financial firms and between firms and their service providers. As such, all parties can ensure that contractual agreements and continuous monitoring processes are aligned and easy to manage.

DORA requirements are driving a significant evolution in financial regulation, shifting the focus from purely financial risk to the critical area of digital operational resilience. For both financial entities and their technology partners, understanding and preparing for these new obligations is essential. By taking a proactive approach to third-party risk management, enhancing cybersecurity measures and fostering greater collaboration, organizations can navigate the complexities of the DORA regulation.