The deadline for the Digital Operational Resilience Act (DORA) is fast approaching.What do CISOs need to know about the requirements of the forthcoming DORA regulation?The widely publicised regulation impacts the EU financial services landscape and is designed to improve the sector’s cyber resilience. However, any entity, whether EU based or not, must abide by the sweeping regulation if they do business with any one of the EU’s 22,000 financial entities.Similar to other global regulators, such as the Hong Kong Monetary Authority, the EU is now mandating a comprehensive range of security requirements that are legally enforceable under DORA.The key aim of the regulation is to ensure that financial firms in the EU, and their partners, can remain resilient in the face of disruptions which can be caused by cyber incidents or outages.Today, financial organisations are increasingly reliant on third-party technology to deliver their services, but when these providers face disruptions, this threatens the stability of the entire financial sector.If resilience plans are not in place, these risks can impact customers and businesses while threatening the overall EU economy. These are risks DORA has been designed to thwart. The regulation will work to ensure outages never threaten the stability of the EU’s financial sector.Ensuring that all financial organisations in the EU can still operate even if key partners are potentially facing disruptions adds a layer of resilience around the sector which should safeguard it in the face of digital breakdowns.But, in an increasingly complex digital world, where the supply chains of financial players can span the world, putting the regulation into practice will prove to be a massive undertaking.So, what do CISOs need to know about the requirements of the forthcoming DORA regulation?Understanding DORA’s requirementsFull compliance with the DORA regulation becomes mandatory on 17 January 2025. The main DORA act brings with it a host of binding security requirements in areas such as ICT incident and supplier management. The true breadth of the regulation becomes evident when scrolling through the 500+ requirements in the underlying ICT Risk Regulatory Technical Standards.These include foundational elements of security such as:IT asset management.
Encryption protocols.
Vulnerability and patch management.
Access control measures.
It’s essential to recognise that much of what DORA requires aligns closely with the practices organisations should have already adopted as part of their wider cyber strategies. Many of DORA’s requirements are foundational and have long been advocated by established frameworks, such as NIST and the CIS.Take IT asset management as an example. Since 2014, NIST has emphasised the importance of tracking and managing IT assets. DORA reinforces this by requiring organisations to “develop, document and implement a policy on the management of IT assets”.The regulation further outlines nine
