Exploring DORA

EU 2022/ 2554 Digital Operational Resilience Act (DORA)

Cutting right to it, the Digital Operational Resilience Act, commonly referred to simply as DORA,  was developed by the EU to enhance the resiliency of ICT (Information and Communication Technology) in the critical financial services sector. It brings with it huge oversight and the ability to fine up to 1% of daily revenues for non-compliance.

New legislation, especially ones of this complexity, introduce huge challenges for organizations within the bill’s scope, but in this instance, EU 2022/ 2554, aka DORA, has some unique distinctions that set it apart from all previous laws introduced by the EU with a focus on cybersecurity that also impacts third-party service providers even those not located in the EU. 

In this blog, first, I will highlight three unique elements of DORA that affect multinational ICT service providers. These items are essential to understand for organizations that want to continue to provide services to the European market: 

1. Mandatory oversight of Third-party ICT providers.

2. Harmonized Cross-Border Requirements for ICT Providers

3. Mandatory Contractual Provisions for ICT Provider Agreements

Secondly, Chapter 2 of DORA: ICT Risk Management, Section 2 has articles governing Response and recovery, and Backup policies and procedures …, areas you’d immediately consider Druva a suitable fit for. I’ll explore those and other articles where the Druva Data Security Cloud brings with it increased simplicity, resilience, and peace of mind for all organizations impacted by DORA. 

What is DORA?

It’s a large complicated set of new EU laws governing cyber resilience in the finance sector at its core. But practically, the main piece of legislation, EU 2022/2554 Digital Operational Resilience,  is 64 articles across 9 chapters. There are various supporting documents, such as implementing and regulating technical standards, delegating regulations, and many more, but I will focus on the primary components.

For those searching for information on DORA, a Google search will likely direct you toward the European Insurance and Occupational Pensions Authority (EIOPA), which is one of the European Supervisory Authorities (ESAs) responsible for drafting the DORA legislation. (The other two being the EBA (European Banking Authority) and ESMA (European Securities and Markets Authority).

The EIOPA website breaks down DORA  into six focus areas [fig 1]. These areas help underscore the technical criteria of the DORA articles.  The site also provides justifications for introducing the act, and links to those supporting documents mentioned above, most importantly, Regulatory Technical Standards (RTS).

There are three Regulatory Technical Standards (RTS) at this time. Introduced in late 2024, they provide further context for the measurement of alignment to DORA articles: 

• EU 2024/1774: RTS for ICT Risk Management Framework
  This RTS is the longest of the three, Chapter 1 focuses on ICT Security policies, procedures, protocols and tools, going into great detail around security concepts such as encryption and cryptographic controls, logging, network security, data and systems security. If you work in IT security this is the document to become most familiar with. 

• EU 2024/1772: RTS on ICT incidents classification
  The second longest at 13 articles, this RTS covers how incidents should be classified. The criticality of systems and data impacted, whether an incident is a major incident or not, and how to measure the effect on the business i.e. reputational, monetary, or partnership impact. 

• EU 2024/1773: RTS on third-party policy
  This last RTS is thankfully the shortest one, focuses on the importance of financial entities accurately measuring third-party risk. Article 8 Contractual clauses are worth visiting if you’re a non-EU entity doing business with the EU.  

Three unique elements of DORA

As I mentioned in the introduction, I want to first cover three unique areas that DORA addresses that we’ve yet to see introduced by European legislation governing information and communications technologies. 

1. Mandatory oversight of Third Party Service providers.
   This is a significant shift, as most previous legislation focused primarily on data privacy or specific critical industries under review, rather than their third-party providers.
   
   Language in this legislation commands unparalleled access by financial entities or assigned common authorities to ICT third-party service providers providing critical functions. This can include site visits to data centers and offices, transparency around technology solutions, and any sub-contractors components to any service or technology.
   
   While other regulations (such as GDPR) impose obligations on data processors, DORA is the first to bring third-party ICT providers directly under the purview of financial regulators, ensuring they meet stringent operational resilience standards.
   
   
2. Harmonized Cross-Border Requirements for ICT Providers
   Unlike other regulations that allow for varying interpretations and implementations across member states, DORA creates a unified framework, simplifying compliance for multinational ICT providers.
   
   This includes standardized incident reporting, testing protocols, and risk management practices.
   
   Financial entities must ensure their ICT providers comply with these harmonized rules, even if they are located outside the EU.
   
   
3. Mandatory Contractual Provisions for ICT Provider Agreements
   DORA imposes specific contractual obligations that financial entities must include in their agreements with ICT service providers, ensuring accountability and resilience. (Druva itself has a Data Resilience guarantee, backed by a $10M commitment.)
   
   While other regulations (such as GDPR) require contracts to address data protection, DORA goes further by mandating detailed operational resilience clauses, ensuring ICT providers are fully accountable for their role in maintaining the financial sector’s stability.
   
   As referred above, EU 2024/1773: RTS on third-party policy has specific guidance on those third-party contractual obligations. 

Druva Data Security Cloud & DORA

To follow on from the DORA breakdown provided by the EIOPA, I’ve grouped the articles associated with EIOPA’s focus areas (Tab 1).  

Information and Intelligence sharing is somewhat of an outlier, being introduced to support and encourage the voluntary sharing of cyber threat intelligence among financial entities to foster collective resilience by enabling entities to stay informed about potential threats it is primarily procedural and entirely voluntary.

The above table will help those navigating DORA focus their studies, on the relevant articles of interest. The bulk of articles with relevance to technical solutions is found in Chapter 2: ICT Risk management. It’s there, and in the RTS for ICT risk management frameworks where I found the greatest parallels to solutions available in the Druva Data Security Cloud platform.

The Druva Data Security Cloud offers a great deal more than simple data protection through its globally distributed SaaS-first, fully managed platform. Engineered to secure and recover data from a wide array of threats with its innovative cloud-native architecture. 

Druva employs a zero-trust security model and ensures the highest level of security across all workloads. The platform provides a comprehensive solution encompassing data protection, cyber‬ response and recovery, and eDiscovery and compliance.‬ 

Druva's integrated response capabilities allow organizations to assess and address threats promptly, and bounce back to clean data without loss ensuring maximum resilience. By combining these features, Druva complements existing perimeter defenses, providing a seamless, comprehensive solution‬ that simplifies the response and recovery process and ensures robust protection against modern threats.‬

I’ve tabulated the results of my analysis of DORA and the RTS articles in (Tab 2) noting how Druva can provide further context and value to financial entities looking to comply with DORA legislation.

Conclusion

This is just a brief look at the impact and scope of DORA and the details go far deeper. For more information on how Druva can support organizations with ICT security please reach out to your local Druva representative.

For a detailed understanding of how Druva’s SaaS solution provides a single, secure, and scalable platform to tackle the complex challenges of data security, read our Druva: A Modern Approach to Data Security whitepaper.