What is the Digital Operational Resilience Act?
The Digital Operational Resilience Act harmonizes the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers, covering an estimated 22,000 organizations across the European Union.
DORA aims to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks. The new regulation requires financial entities, and their critical ICT suppliers, to implement contractual, organizational, and technical measures to improve the level of digital operational resilience of the sector.
DORA entered into force on 16 January 2023 and will apply to all 27 EU member states as of 17 January 2025.
DORA is structured around five key pillars, each designed to address distinct aspects of financial services digital operational resilience.
- ICT risk management and governance: DORA makes management and board members responsible for defining, implementing, and maintaining an ICT risk management framework to effectively deliver greater digital operational resilience. DORA mandates that financial entities have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk.
- Incident reporting: Financial services organizations need to establish systems to monitor, manage, log, classify and report ICT-related incidents to evaluate attacks, mitigate impact on customers and operations, and report to the authorities.
- Digital operational resilience testing: Financial entities need to implement and perform a comprehensive digital operational resilience testing program annually. DORA also outlines that financial entities need to ensure the involvement of ICT third-party providers in their digital operational resilience testing if applicable.
- ICT third-party risk: One of DORA’S key emphases is ICT third-party risk and its role in risk mitigation. Financial institutions rely heavily on external ICT providers who may be outside of the EU, such as several cloud providers. Consequently, financial entities need to include ICT third-party risk as an integral component of their ICT risk management framework.
- Information sharing: DORA also encourages voluntary information sharing about cyberthreat information and intelligence to enhance the industry’s digital operational resilience.
DORA applies to a broad range of financial service providers, including banks, credit institutions, payment institutions, e-money institutions, investment firms, and crypto-asset service providers, among others. Importantly, DORA defines critical ICT services provided to financial institutions. If an organization is a provider of critical ICT services to a financial institution, it will be subject to direct regulatory oversight under the DORA framework. That includes, for example, cloud platforms and data analytics services, even if they are based outside the EU.
DORA is an EU Regulation, which means that it is the law in the EU as of 17 January 2025. Unlike an EU Directive, DORA does not have to be translated into each EU member state’s national legislation. Failure to comply with DORA comes with strict penalties:
- Financial entities that violate DORA may face fines of up to two percent of their total annual worldwide turnover or, in the case of an individual, a maximum fine of EUR 1,000,000. The amount of the fine will depend on the severity of the violation and the financial entity's cooperation with authorities.
- Third-party ICT service providers designated as "critical" by the European Supervisory Authorities may face fines of up to EUR 5,000,000 or, in the case of an individual, a maximum fine of EUR 500,000 for non-compliance with DORA. The ESAs will have the authority to impose these fines.
White Paper
Digital Operational Resilience Act (DORA)
Explore solutions for DORA compliance in the financial sector, covering information and communication technology (ICT) risk management, incident reporting, and more.
How Thales Helps with DORA Compliance
Thales’ solutions can help Financial Institutions and third-party ICT providers comply with DORA by simplifying compliance and automating security reducing the burden on security and compliance teams. We help address essential cybersecurity risk-management requirements under articles 8, 9, 10, 11, 19 and 28 of the regulation, covering ICT Risk Management and Governance, Incident Reporting, and ICT Third Party Risk Management.
We provide comprehensive cyber security solutions in three key areas of cybersecurity: Application Security, Data Security, and Identity & Access Management.
NIS2 Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self-Protection (RASP).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address Key DORA Requirements
How Thales helps:
- Discover and classify potential risk for all public, private and shadow APIs.
- Identify structured and unstructured sensitive data at risk on-premises and in the cloud.
- Identify current state of compliance, documenting gaps, and providing a path to full compliance.
How Thales helps:
- Encrypt data-at-rest on-premises, across clouds, and in big data or container environments.
- Pseudonymize sensitive information in databases.
- Protect data in motion with high-speed encryption.
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
How Thales helps:
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Data activity monitoring for structured and unstructured data across cloud and on premises systems.
Solutions:
Application Security
Data Security
How Thales helps:
- Limit the access of internal and external users to systems and data based on roles and context with policies.
- Apply contextual security measures based on risk scoring.
- Leverage smart cards for implementing physical access to sensitive facilities.
Solutions:
Identity & Access Management
Data Security
How Thales helps:
- Enable multi-factor authentication (MFA) with the broadest range of hardware and software methods and form factors.
- Build and deploy adaptive authentication policies based on the sensitivity of the data/application.
How Thales helps:
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
- Streamline key management in cloud and on-premises environments.
How Thales helps:
- Automatic reconciliation of production changes.
- Vulnerability assessment and risk mitigation.
- Detect changes in data layer schemas.
- Approval process for production level changes.
How Thales helps:
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
- Safeguard ICT network performance and integrity from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
How Thales helps:
- Data activity monitoring for structured and unstructured data across cloud and on-prem systems.
- Produce audit trail and reports of all access events to all systems, stream logs to external SIEM systems.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Mitigate of DDoS attacks in as little as three seconds.
- Implement preventive measures to predict and avoid crisis situations.
How Thales helps:
- A year's worth of retained records are instantly accessible for detailed search and investigation. Audit data is archived automatically but remains accessible in seconds for queries and reporting.
How Thales helps:
- Reduce third party risk by maintaining on-premises control over encryption keys protecting data hosted by in the cloud.
- Ensure complete separation of roles between cloud provider admins and your organization, restrict access to sensitive data.
- Monitor and alert anomalies to detect and prevent unwanted activities from disrupting supply chain activities.
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
Solutions:
Data Security
Identity & Access Management
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.