N°1 OFFENSIVE SECURITY AS A SERVICE

DORA Compliance: objectives, issues, criteria, solutions

DORA (Digital Operational Resilience Act) is a European regulation adopted in 2022 by the European Commission, which came into effect on January 16, 2023, and will apply from January 17, 2025. Its goal is to enhance the digital operational resilience of financial institutions and financial services in terms of cybersecurity.

Book a demo

Who is affected by DORA compliance?

All 22,000 companies

related to the financial sector are affected: Providers of credit services, payment services, crypto-assets, insurance, reinsurance, intermediaries, pension funds, critical third parties (ICT service providers), etc.

The only exception

Very small companies with fewer than 10 employees and an annual turnover below 2 million euros.

Why DORA regulations?

DORA focuses on resilience applied to cybersecurity, listing pragmatic criteria and recommendations.

All financial institutions use computers and process data. An uncontrolled cybersecurity incident can lead to financial disaster (such as the recent hacking of FTX, a crypto-currency exchange), which is why the EU drafted DORA.
DORA focuses on operational resilience applied to cybersecurity by listing practical criteria and recommendations.

What are DORA's objectives?

The financial sector is already regulated by the European Central Bank, but the requirements, their application and interpretation remain local. The aim of DORA is to unify the rules with a common level of security, and help companies to :

  • Identify assets and risks related to activities, including IT risks.

  • Protect the information system to ensure the provision of critical infrastructure services.

  • Detect cybersecurity events.

  • Respond to incidents, support recovery activities, and improve the situation.

  • Recover and restore affected systems to ensure business continuity.

What are the DORA requirements?

Continuous monitoring with penetration testing and operational resilience testing: this is what Patrowl does with continuous pentesting, Offensive Cybersecurity-as-a-Service, sometimes referred to as Pentest-as-a-Service.

Permanent detection of vulnerabilities: this is also what Patrowl does by constantly rediscovering and monitoring companies' external attack surface (assets exposed to the Internet).

  • Service resilience with a Business Continuity Plan (BCP) and crisis management process that must be tested and updated.

  • Classify and adapt cybersecurity incidents to limit their spread and impact, and share knowledge with peers and regulators.

  • Risk management and governance to limit the disruption caused by a cybersecurity incident

  • Real consideration of the cybersecurity of third parties (suppliers) through risk analysis, control and audit.

  • Sharing intelligence between financial organizations.

  • Ongoing detection of cybersecurity incidents.

Solution & platform for DORA regulation

Patrowl is fully compliant with DORA's continuous asset monitoring requirements thanks to its SaaS solution.

Discover Patrowl

Going further with DORA?

To find out more about DORA, read lawyer Marc-Antoine LEDIEU's articles detailing the issues, implications and consequences of the DORA law:

Read more

Conclusion

DORA compliance is a major issue for financial institutions and their critical third parties. By anticipating the requirements and collaborating with cybersecurity experts, you can ensure your compliance and avoid sanctions.

Your questions:

How can I avoid DORA compliance penalties?

  • Anticipation: Start putting your systems and processes in compliance now.

  • Training: Raise awareness among your teams about DORA requirements.

  • Partnership: Collaborate with cybersecurity providers or digital resilience experts.

What are the penalties for non-compliance with DORA?

DORA provides significant sanctions for financial entities that do not meet its obligations:

  • Financial fines proportional to the severity of non-compliance.

  • Operational restrictions (temporary or permanent ban on providing certain services).

  • Administrative sanctions (compliance orders, appointment of an external auditor).

  • Reputational damage (loss of trust from clients and partners)

How can I assess my compliance with DORA?

  • Understand the requirements: Identify specific obligations based on your sector and size.

  • Conduct an internal audit: Assess your ICT governance, BCP, and operational resilience testing.

  • Implement controls: Identify gaps and implement corrective actions.

  • External testing: Engage an independent organization to evaluate your systems.

  • Continuous monitoring: Update your policies and processes based on new threats.

Our latest news

See more news