BID® Daily Newsletter
Nov 12, 2024

BID® Daily Newsletter

Nov 12, 2024

DORA as a Guideline for Heightened Cybersecurity

Summary: As European financial institutions prepare to adhere to the EU’s Digital Operational Resilience Act, CFIs may find value in using these rules and regulations to help shape cybersecurity initiatives.

“Dora the Explorer” is an animated television series centered around a young Latina girl, Dora, who goes on adventures to solve a specific problem or goal that is established at the start of each episode. The Nickelodeon series, which launched in 2000, was so popular with children that it spawned multiple spin-offs and one of the highest-grossing retail franchises ever, which, at the height of the show’s popularity was worth $13B.
The lasting impact of Dora the Explorer is the lessons the program taught millions of children. Now, the banking industry has the chance to learn from another type of DORA — the European Union’s (EU) Digital Operational Resilience Act, which aims to enhance the digital resilience of the financial sector.
Why DORA?
DORA is an EU legislative framework that seeks to diminish the risks of the financial sector’s increasing reliance on technology and third-party technology providers. DORA will do this through a set of standardized processes regarding reporting, management, and the way that organizations react to information and communications technology (ICT) risks.
The goal of the legislation is to heighten preparedness within the financial system and reduce the possibility of wide-reaching digital events, such as the July 2024 CrowdStrike security update that led to a massive IT outage, grinding business to a halt at millions of organizations around the world. The new rules were put into effect in January 2023, but they will not be enforced until January 2025.
DORA’s Rules and Requirements
The following are DORA’s requirements: 
  • Diligent risk management regarding third-party ICT.
  • Mandatory reporting of ICT-related security breaches.
  • Extensive operational resilience testing, using procedures such as the EU’s threat intelligence-based ethical red teaming (TIBER-EU), which allows organizations to use simulated cyberattacks on themselves to identify weaknesses in their security. 
To ensure that EU financial institutions take the new rules seriously, financial institutions that fail to comply can be hit with fines as high as 2% of their annual global revenues. EU authorities can also levy fines against individual managers when breaches occur, for up to $1.1MM. Given the rising importance of third-party providers in the equation, regulators are also prepared to levy fines of up to 1% of average daily global revenues for the previous business year against IT providers. Firms can face additional daily fines until they take the steps necessary to become compliant for up to six months.
While DORA’s rules and regulations are targeted to EU organizations, they will still apply to organizations that provide services to customers residing within the EU. Similarly, US-based ICT service providers who serve as third-party providers for EU financial organizations also fall within the confines of the regulatory framework. For the most part, however, DORA’s greatest significance for US financial institutions may be the guidance it provides on some of the most effective ways to enhance digital operational resilience.
What Your Institution Can Learn from DORA
A major component of DORA is the requirement for organizations to share information with one another regarding security risks, from incidents and the way an organization responds to them, to close calls. This requirement extends to incident management related to third-party providers. By enhancing visibility within the financial services industry of the threats experienced by their peers, the hope is that organizations will be able to more effectively improve their own security measures. The regulation also forces financial institutions to do deeper due diligence on the security measures in place at third-party technology providers. 
The broad steps that DORA encourages organizations to take are also ways in which community financial institutions can improve their own cyber security and digital resilience to fraud. 
Some of the key strategies of DORA that community financial institutions can implement or enhance include:
  • Incident management
  • IT risk management
  • Digital operational resilience testing and implementation for better third-party risk management.
As community financial institutions strive to enhance their own cybersecurity, they would be well served to dig into some of the suggestions outlined by DORA and keep a close watch on how European financial institutions respond to the impending enforcement of the new regulations.
Subscribe to the BID Daily Newsletter to have it delivered by email daily.

Related Articles:

What CFPB’s Rule Means for Consumer Data and Competition
Even if your institution isn't required to comply with the new Personal Financial Data Rights rule, preparing for open banking is essential. As consumer demand for data sharing grows, adopting secure digital interfaces will help you stay competitive and meet evolving expectations.
PCBB’s President’s Top Predictions for CFIs in 2025
We interviewed PCBB President Mike Dohren about the key trends he anticipates affecting CFIs in 2025, including regulatory changes, mergers and acquisitions, lending trends, and technology.