DORA regulation: Everything you need to know

Imagine your financial company has successfully managed the assets of many customers for years. Your customers have invested their money with you in various products such as accounts, custody accounts and insurance policies. But one day, your institution falls victim to a cyber attack and your customers' digital assets are suddenly at risk. The EU's new “DORA Regulation” aims to prevent precisely such scenarios. And rightly so, we think!

What is the DORA regulation?

The abbreviation “DORA” stands for “Digital Operational Resilience Act”. It is intended to help make the European financial sector more resilient - i.e. more resistant and stronger - against digital threats that can arise from cyber attacks or information and communication risks (ICT), among other things.

The EU has also opted for a regulation rather than a directive. A directive (e.g. Whistleblower Directive) must first be “converted” into German law, whereby each EU state has certain freedoms - the result: all EU states pursue the same goal, but how exactly they do this is largely up to them. By contrast, a regulation (e.g. the General Data Protection Regulation) applies directly, which means that its provisions must be complied with directly and in exactly the same way in all EU states. The fact that the EU has chosen the means of a regulation here therefore means that it wants to create clear and uniform standards (quickly).

To whom and from when does the DORA Regulation apply?

The DORA Regulation must be applied in practice from 17.01.2025 and applies to the financial and insurance sector. This includes, for example, banks and credit institutions, investment firms, crypto and crowdfunding service providers, rating agencies and many more.

However, it also applies to IT service providers in this sector (“ICT third-party service providers”). Anyone offering “digital services and data services provided through ICT systems to one or more internal or external users on a permanent basis, including hardware as a service and hardware services [...]” must also implement this regulation.

However, it does not apply to some companies in the insurance sector (note: ONLY the insurance sector!) that have fewer than 250 employees and whose annual turnover does not exceed €50 million and/or a balance sheet total of €43 million.

What is the DORA regulation supposed to achieve - and why?

The main purpose of the regulation is to make financial companies more resistant to digital threats. The main reason for this, of course, is to protect customers or consumers from having their money or assets fall victim to technical security vulnerabilities.

The DORA regulation is not just a “nice-to-have” or, once again, a regulation that is more work than sense. It is absolutely in tune with the times and urgently needed! If you were a hacker, for example... where else would it be so quick and easy to make as much money as possible from IT security vulnerabilities than at financial institutions?

What is regulated in the DORA regulation, among other things?

The overall digital resilience of the European financial sector is to be strengthened and standardized at the same time. This relates in particular to 6 areas:

• ICT risk management (to repeat: “ICT” = information and communication risks)
• Handling, classifying and reporting ICT-related incidents
• Testing digital operational resilience (incl. threat-led penetration testing)
• Manage ICT third party risk
• Specify how to monitor critical ICT third-party service providers
• Make agreements on the exchange of information and cyber crisis and emergency drills

What does the DORA regulation mean in practice?

DORA is not just an “annoying” and costly obligation for companies, but can be seen as a real opportunity. This is because the associated obligation to close their own security gaps in the technical area means that they can simultaneously seize the opportunity to do more than necessary and thus gain a market advantage over their competitors in the financial and insurance sector.

Our recommendations for you:

• Try to understand what your (external) IT service providers do and how they protect themselves
• Carry out comprehensive GAP analyses now
• Focus your attention on topics such as threat intelligence and threat led penetration sooner rather than later
• And last but not least, our most important recommendation:

Take a few minutes to read through this regulation for yourself! Not only the articles, but especially the recitals at the beginning explain more than you probably know and need to know. If you do so, you will already be further ahead and better informed than many other people (and lawyers) who only draw their knowledge from articles or commentaries. We promise: It's not only easier and quicker, but also safer in the long term than spending hours researching on Google!

Editor's comment:

We ourselves spent a long time researching this topic and came across many articles from what are actually very reputable companies that contained serious errors. What's more, different companies that research and address this topic have different focuses that benefit them the most. Therefore: 2-3 hours invested in carefully reading this regulation is more valuable and better invested than spending 30 minutes every week researching articles - for years to come!"

In the coming weeks, we will provide in-depth insights and updates on the DORA regulation as well as practical solutions and templates to help financial companies efficiently implement the requirements of the regulation.