What is DORA – and how can Proton help with compliance?

The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.

No one can accuse the European Union of complacency when it comes to ambitious pieces of legislation intended to enhance cybersecurity across EU member states. Hot on the heels of NIS2(nuova finestra), the Digital Operational Resilience Act(nuova finestra) (DORA) aims to improve the cybersecurity and operational resilience of financial entities such as banks, insurance companies, and investment firms. Companies need to comply with the DORA by January 17, 2025.

What is DORA?

Dora is a regulation introduced by the European Union to improve the cybersecurity and operational resilience of financial entities in the EU. Much like NIS2, it aims to ensure financial institutions can withstand, respond to, and recover from all types of information and ICT-related disruptions and threats.

Why does DORA matter?

Businesses that fail to comply with DORA may face huge fines, suspension or limitation of operations, reputational damage, and increased supervision and monitoring. They will also be at increased risk of cyberattacks(nuova finestra).

As with the GDPR(nuova finestra), if your company is based outside the EU, it will still need to comply with DORA if it provides services to or operates within the European Union’s financial sector. DORA applies to all financial entities and third-party service providers that have significant operations or interactions with EU-based financial institutions (Article 2 (u) ). 

So what should my organization do?

Proton’s suite of secure, encrypted tools can help your business avoid these penalties and protect your data. Let’s schedule a meeting(nuova finestra) to explore how Proton can simplify your DORA compliance and keep your business safe.

In this article, we look at how DORA will impact your business or organization and how Proton’s services can help it meet its compliance requirements. 

• Who must comply with DORA?
• DORA obligations
• What are the penalties for non-compliance?
• Where to start your DORA compliance journey
• How Proton can help with DORA compliance

Who must comply with DORA?

DORA aims to create a harmonized framework for operational resilience in the EU financial sector. As such, it applies to a wide range of financial entities and ICT (information and communication technology) service providers that deliver critical digital services to financial institutions. The following types of entities are required to comply with DORA:

Financial entities

DORA applies to a broad spectrum of financial institutions operating in the EU, including:

• Banks: Traditional retail and investment banks, like BNP Paribas or Deutsche Bank
• Payment institutions: Companies offering payment services, including electronic money institutions (EMIs), like Paypal, Revolut, or Stripe
• Investment firms: Companies providing financial advisory services, wealth management, or other investment-related services
• Insurance and reinsurance companies: Providers of insurance products, such as life, health, or property insurance, plus reinsurance firms, like AXA or Allianz
• Credit institutions: Firms that extend loans or other forms of credit
• Asset managers: Entities managing portfolios of financial assets, including UCITS(nuova finestra) and alternative investment fund(nuova finestra) managers.
• Crypto-asset service providers (CASPs): Companies that facilitate services related to cryptocurrencies and other digital assets, like Coinbase or Kraken
• Securities exchanges and trading venues: Platforms where securities, commodities, and other financial instruments are traded
• Central counterparties (CCPs): Entities that interpose themselves between counterparties in a financial transaction to reduce the risk of default
• Central securities depositories (CSDs): Firms that provide the infrastructure for securities settlement and the safekeeping of securities
• Pension funds: Institutions managing retirement savings and payouts

Critical third-party ICT service providers

• Cloud service providers: Companies offering cloud infrastructure, platforms, or software services to financial entities, like Amazon Web Services
• Data centers: Firms providing data storage or processing infrastructure
• Cybersecurity providers: Companies delivering cybersecurity solutions, monitoring, and response services, like Crowdstrike
• Software vendors: Providers of critical software systems that are integral to the operations of financial institutions, like Microsoft

Outsourcing and ICT providers to financial entities

Any third-party technology service provider whose services are considered crucial to a financial entity’s operations must comply with DORA. This includes non-EU ICT service providers that deliver key services to financial entities in the EU, as DORA requires robust third-party risk management.

Financial market infrastructure firms

DORA covers firms that provide infrastructure for the smooth functioning of financial markets, including:

• Stock exchanges and other trading venues, like Euronext
• Trade repositories: Entities that collect and maintain records of derivative contracts
• Payment systems: Systems that facilitate the transfer of funds between financial institutions
• Clearing and settlement systems: Entities that ensure the settlement of transactions and reduce counterparty risk

Credit rating agencies

Entities responsible for evaluating the creditworthiness of issuers of securities or financial instruments, like Moody’s, must also comply with DORA’s operational resilience requirements.

Crowdfunding service providers

Crowdfunding platforms that operate in the EU and facilitate financial transactions between investors and project creators, like Indiegogo, are also covered by DORA.

Non-EU companies

As already noted, non-EU companies that interact with financial institutions operating in the EU will need to comply with DORA. Companies that are most likely to be affected include:

• ICT services providers to EU-based financial institutions (such as cloud computing, data storage, cybersecurity services, or software platforms) 
• Financial institutions with a presence in the EU (such as branches, subsidiaries, or partnerships). For example, if a US-based bank operates in EU countries, its EU operations must follow DORA’s cybersecurity and operational resilience guidelines, even though the parent company is headquartered outside the EU.
• Service providers to EU-based financial institutions (for example, payment processors, IT systems, and fintech solutions). 
• Providers of key technological infrastructure for financial institutions within the EU.

DORA obligations

DORA’s purpose is to ensure that financial institutions can withstand, respond to, and recover from significant ICT-related incidents, thus improving the overall resilience of the entire EU financial system against the growing danger of cyberthreats and digital disruptions. If your business is in the financial sector, you must meet the following requirements:

ICT risk management

Companies must develop and implement effective policies, processes, and governance structures to identify, manage, and mitigate ICT-related risks. They must regularly assess, document, and monitor internal and external ICT risks that could affect the integrity, security, and availability of information systems.

Any such assessments should include risks posed by reliance on third-party ICT providers, such as cloud providers, data centers, and fintech vendors.

ICT incident response and recovery

Once risks are identified, your company must implement appropriate technical and organizational measures to address these risks. This means ensuring it has robust incident recovery and business continuity plans in place to restore services quickly in case of disruptions.

Incident response and recovery procedures should be regularly tested through drills or simulations to assess their effectiveness and ensure readiness. You should inform stakeholders about all disruptions that might impact service availability, data integrity, or operations.

ICT risk monitoring and logging

Your company must implement robust mechanisms to continuously monitor its ICT systems, ensuring real-time detection of anomalies, vulnerabilities, or potential breaches. You should log results, allowing you to track events, access, and data integrity for forensic purposes in case of an incident.

Incident reporting

If a major incident happens (such as a cyberattack or system outage), your company must report it to the relevant authorities within a specified timeframe (as determined by each member state).

Resilience testing

Your company must conduct periodic tests of its digital operational resilience to ensure it can withstand a variety of ICT disruptions, including cyberattacks, system failures, and data breaches. This should include advanced threat-led penetration testing(nuova finestra) at least every three years, plus regular vulnerability assessments. 

Governance and oversight

DORA requires board-level responsibility, meaning that senior management must oversee your company’s ICT risk strategies and ensure their implementation (where applicable: note that Article 1.2 specifically excludes “microenterprises” from the legislation). 

You should clearly define the roles and responsibilities related to ICT risk management to ensure accountability across all relevant departments.

Information sharing

DORA encourages financial institutions to participate in information-sharing arrangements with peers and regulatory bodies to share knowledge of cyberthreats, vulnerabilities, and best practices.

Compliance with regulatory oversight

Companies are required to cooperate with relevant authorities by providing access to records, audit reports, and any necessary information related to operational resilience and ICT risks. You must follow guidelines issued by European Supervisory Authorities(nuova finestra) (ESA) and undergo periodic audits or reviews by regulators to ensure compliance with DORA.

Training and awareness

Your company should conduct regular training programs to raise awareness of cyber risks and ensure DORA compliance among staff.

Protect data integrity and availability

The confidentiality, integrity, and availability of sensitive financial and customer data must be protected using strong encryption, access controls, and other data protection measures. You should back up critical data regularly and put robust recovery capabilities in place.

What are the penalties for non-compliance?

Companies that fail to comply with DORA’s requirements may face significant penalties. EU member states will be individually responsible for implementing and enforcing these penalties, and the specific fines and sanctions may differ somewhat depending on local legislation.

However, the goal of DORA is to create a harmonized framework for operational resilience, meaning that non-compliance is likely to result in serious consequences across the EU. To this end, the ESAs play a critical role in overseeing the implementation, enforcement, and monitoring of DORA across member states. 

Fines

Regulatory authorities have the power to impose fines. The amount of these fines can vary depending on the severity of the violation and the national implementation of DORA by each EU member state.

Suspension or limitation of operations

Companies that breach DORA repeatedly or in critical ways may find their activities suspended or restricted. 

Increased supervision and monitoring

Non-compliant entities may face heightened scrutiny from regulatory authorities. This could include more frequent audits or a requirement to submit detailed reports on their digital operational resilience measures. Companies might also be forced to undergo additional penetration testing or other remedial steps under regulatory supervision to improve their resilience posture.

Liability for damages

Entities that fail to maintain the required level of cybersecurity and operational resilience may be held liable for damages caused by cyber incidents, data breaches, or operational failures.

Restrictions on use of non-compliant third parties

If your company relies on a non-compliant third-party ICT service provider, regulators could restrict you from continuing your engagement with that provider. Of course, the non-compliant third parties could also face penalties or restrictions of their own. 

Where to start your DORA compliance journey

To start your DORA compliance journey, it’s essential to approach it methodically, ensuring that your organization addresses the various pillars of DORA’s requirements. By taking a systematic approach — starting with identifying your regulatory obligations and developing a plan for enhancing resilience — you can ensure that your organization meets the requirements of DORA and is protected against growing cyber threats and disruptions.

1. Identify if DORA applies to your organization: Determine whether your company falls under the categories specified by DORA, such as banks, insurance companies, payment institutions, asset managers, or third-party ICT providers (for example, cloud providers and cybersecurity services). 

2. Assign internal responsibility: Create a dedicated team or appoint individuals responsible for managing DORA compliance. Ensure they have a good understanding of DORA’s requirements and regulatory implications. This team should include representatives from IT, risk management, legal, compliance, and business operations. 

Note also DORA emphasizes that the board of directors and senior management must take responsibility for compliance, so ensure your leadership is aware of its obligations.

3. Assess current ICT and operational resilience: Conduct a gap analysis(nuova finestra) of your existing ICT risk management and operational resilience framework to identify gaps between your current practices and DORA’s requirements. It may be worth hiring external auditors or consultants to provide an objective view of your current state, and to help identify areas where improvement is needed.

4. Develop a comprehensive ICT risk management framework: This should include details on how you plan to identify, assess, and mitigate risks, and establish clear roles and responsibilities with specific roles and responsibilities assigned to key personnel to ensure that accountability for managing ICT risk is clearly defined across departments.

5. Establish or improve incident reporting procedures: This should include a system to classify incidents based on severity, to help ensure timely reporting of incidents to regulators and stakeholders.

6. Regularly test your resilience framework: This includes conducting vulnerability assessments to identify weaknesses and threat-led penetration testing to simulate real-world attacks and assess defenses. At minimum, testing should be performed annually and whenever major changes are made to your ICT systems.

7. Review and assess contracts with third-party ICT providers: Contracts with critical third-party providers should include service-level agreements(nuova finestra) (SLAs) covering operational resilience, provisions for incident reporting and data breach notifications, plus exit strategies in case of service termination or disruption. Before onboarding new third-party providers, conduct thorough due diligence to evaluate their resilience capabilities and ensure compliance with DORA’s requirements.

8. Establish communication with supervisory authorities: Keep your national competent authority(nuova finestra) (NCA) or the relevant European Supervisory Authority(nuova finestra) informed about your compliance efforts, significant incidents, and resilience plans. Make sure all compliance documentation, such as ICT risk assessments, incident reports, and testing records, is easily accessible, and be ready for regulatory audits and inspections. 

9. Conduct regular training programs: DORA emphasizes the need for ongoing staff awareness to maintain a strong security posture, so create an organizational culture where resilience is a priority. Make sure all your employees understand the importance of cybersecurity and their role in ensuring the organization’s operational resilience.

10: Document everything: DORA requires detailed documentation of all ICT risk management and operational resilience activities. Keep records of risk assessments, testing results, incident reports, and third-party provider evaluations. This documentation will be crucial during audits and inspections.

To learn more about how to keep your business secure, please consult A Practical Guide to Security for Growing Businesses, our comprehensive security ebook by cybersecurity expert and Head of Security at Proton, Patricia Egger.

How Proton can help with DORA compliance

Although DORA doesn’t explicitly mandate specific encryption standards in any one section, it addresses the protection of data and information security throughout the act. With encryption being a commonly accepted measure to ensure the confidentiality, integrity, and availability of sensitive data, the need for strong encryption is implicit throughout the Act — notably under the broader umbrella of ICT risk management (Article 6), and frequent reference to “the highest Information security standards” throughout the document. 

Proton is an industry-standard leader in cybersecurity and cyberprivacy, with certifications such as ISO 27001(nuova finestra). As with the GDPR(nuova finestra), HIPAA(nuova finestra), and the NIS2 Directive(nuova finestra), our Proton for Business(nuova finestra) and Proton VPN for Business(nuova finestra) plans offer an increasingly comprehensive suite of secure privacy services that can help your organization comply with the DORA in several key ways:

Encryption and data confidentiality

Proton offers end-to-end encryption(nuova finestra) E2EE) for its Proton Mail(nuova finestra), Proton Dive(nuova finestra), Proton Pass(nuova finestra), and Proton Calendar(nuova finestra), ensuring that sensitive information such as client data, financial reports, and internal communications is protected from unauthorized access. E2EE aligns with DORA’s implicit data security requirements in ensuring the confidentiality and integrity of financial data.

Where E2EE isn’t used (for example, when sending an email to a non-Proton account), our zero-access encryption model(nuova finestra) ensures Proton itself can’t decrypt the data. This can help your company meet its obligation to secure data from internal and external threats, which is a core component of DORA’s ICT risk management requirements.

Secure communications

DORA emphasizes strong ICT risk management, including securing communications between financial institutions, their clients, and third parties. Proton Mail provides a secure email platform that encrypts email content and attachments, reducing the risk of interception or unauthorized access during transmission.

Proton Calendar can help your company to securely organize and manage internal and external meetings, safeguarding sensitive information such as strategic discussions or client data.

Proton’s services align with GDPR requirements for protecting personal data, which dovetails with DORA’s broader emphasis on safeguarding data and ensuring that operational resilience is maintained, particularly in the face of incidents or cyberattacks.

Incident response and continuity plans

DORA requires organizations to ensure they have backup and recovery plans in place as part of their operational resilience strategy. Proton Drive can assist with this, as it provides encrypted cloud storage to ensure critical financial data and documents are securely backed up and can be quickly recovered in the event of a disruption. 

Proton provides secure redundancy across our high-availability server network. So your data is always safe with us, and available for rapid recovery of data under any eventuality. 

DORA also emphasizes the importance of safeguarding remote access to systems and data. With ProtonVPN for Business’ dedicated servers(nuova finestra), your company can provide secure, encrypted, segmented access to all its onsite and SaaS resources, thus greatly mitigating the risk of unauthorized access or of data being intercepted.

Third-party risk management

As a secure ICT service provider, Proton can help your organization manage its third-party risks by offering services that comply with the highest standards of security. DORA requires financial institutions to carefully vet their third-party ICT providers, ensuring these providers have robust security and resilience measures in place.

Proton’s industry-standard security and privacy-first approach makes us a trusted third-party service provider(nuova finestra) for entities that need to protect sensitive information. All our products’ open source(nuova finestra), and we regularly commission independent audits so you can be confident that they are secure..

Reporting and transparency

Proton regularly publishes transparency reports(nuova finestra) that provide insights(nuova finestra) into how we handle data and respond to law enforcement requests. This aligns with DORA’s focus on incident reporting and transparency. If an incident affecting data security occurs, Proton’s transparency practices can help organizations meet DORA’s incident reporting requirements to national competent authorities.

How using Proton aligns with DORA’s key requirements:

DORA requirement	Proton’s solutions
ICT risk management	End-to-end encryption, zero-access encryption, secure data storage and communication
Data confidentiality and integrity	All our services use strong encryption to protect sensitive data
Third-party risk management	GDPR compliance and robust privacy practices make Proton a trusted third-party provider
Incident reporting	Transparency reports and secure communication platforms support timely incident response
Operational resilience and testing	Encrypted backups and services contribute to digital operational resilience
Secure communication	Proton Mail, Proton VPN, and Proton Calendar ensure secure internal and external communication across organizations

​​Discover how Proton can help you with your DORA journey.