Regulations related to cybersecurity, risk management, and incident reporting will be changing the ways many companies do things this year on both sides of the Atlantic. In the EU, the EU's Digital Operational Resilience Act (DORA), is going to change that for companies in the financial sector and their "critical" contractors. 

As a cybersecurity company headquartered in the EU, offering services that assist our customers with Application Security and Risk Management, we've been watching this.

The changes can be complex. That's evidenced by DORA's 106 preambles, 64 articles, and multiple resulting regulatory schemas. In this article, we'll go for a very high-level understanding of DORA to get you started on your journey toward compliance.

Does DORA impact my business?

If your company has operations in Europe and is considered to be in the financial sector or provides "critical" information and communications technology (ICT) services to one or more European financial sector companies, you're impacted.

According to the European Central Bank's 2020 Supervisory Review and Evaluation Process Report on ICT Risk Assessment, 98% of institutions were using some level of outsourcing in their operations (chart 64) and 85% had some level of use of cloud computing services (chart 11). This means almost every affected company will not only have internal compliance work to do, but work with their vendors to ensure compliance.

What is the Digital Operational Resilience Act? 

DORA is billed as part of a package of measures aimed at boosting digital innovation and competition in the EU's financial sector while addressing the risks that come with it. 

While governments made progress in reining in the financial sector's appetite for risk with new capital management standards after the last big crisis in 2008, the following decade and change saw the growth of new risks from increasing digitization and automation across the financial sector. That's where DORA comes in. 

The goal is to make sure financial systems operating in and throughout the European Union are better able to stand up to and cope with the evolving landscape of digital risks, protect their customers and investors, and mitigate threats to the strength and stability of both their businesses and Europe's collective economy.

What are some of the key provisions coming our way?

DORA establishes the ability to set standards in multiple areas. Many of these standards are currently in the process of being set. Multiple final draft sets were published in January 2024. These will then need to be approved by the European Commission, then the European Parliament and the Council of the European Union. Upon full approval and publication, they'll go into effect 20 days after the publication and be enforced by "competent authorities" in each member state.

Included in that set of final draft publications were rules governing:

  • Incident reporting: these rules create a framework, setting thresholds for whether incidents are considered material and standards for categorization and measurement of severity, to streamline both reporting and response.
  • Risk management: Setting standards for "risk management tools, methods, processes, and policies." These are all things you'll need to have in place to comply with reporting and auditing standards. This will likely require you to audit the current security measures of both you and your vendors, identify gaps and weaknesses, and provide periodic reporting on updates and improvements.
  • Contracts: DORA sets rules for contractual standards when outsourcing to critical ICT third-party providers (CTTPs). This will require a lot of contracts to be rewritten or even renegotiated to ensure that standards for security and risk management are enumerated and enforced.
  • Registering contracts: Standardizes how financial sector companies must record and register their contracts/relationships with CTTPs.
  • Testing: Covered entities will be required to perform (per article 25, paragraph 1):
    • Vulnerability assessments and scans.
    • Open source analyses,
    • Network security assessments.
    • Gap analyses.
    • Physical security reviews.
    • Questionnaires and scanning software solutions.
    • Source code reviews where feasible.
    • Scenario-based tests.
    • Compatibility testing. 
    • Performance testing.
    • End-to-end testing.
    • Penetration testing.

In most cases, these aren't really going into enforceability until January of 2025, but as contract renewals start coming up in 2024, they'll need to be considered to help ease CTTPs and their clients into the more regulated contract renewal process in 2025.

And, of course, GitGuardian has solutions that can solve some of the risk management, incident management, testing, and reporting requirements. We integrate with many of your existing workflow solutions, offer additional management tools for remediation, and have wonderful partners who can help you fill out more of your DORA picture. Contact your account manager to start a discussion.

Next steps

The information provided here does not represent and is not intended to be taken as legal advice. If you think you might be impacted by DORA as a covered financial entity or an ICT vendor to covered financial entities, you should seek competent professional legal advice to help ensure your compliance with this legislation. As with many government regulations, all the best practices in the world will not matter if you're not documenting them by the book.

Remember those 106 preambles and 64 articles plus the multiple regulatory schemas being created in response to them. Unless you specialize in regulatory comprehension and compliance, let someone who does advise you.

(Edited Feb 27 to add more testing details)