The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only.
No one can accuse the European Union of complacency when it comes to ambitious pieces of legislation intended to enhance cybersecurity across EU member states. Hot on the heels of NIS2(nieuw venster), the Digital Operational Resilience Act(nieuw venster) (DORA) aims to improve the cybersecurity and operational resilience of financial entities such as banks, insurance companies, and investment firms. Companies need to comply with the DORA by January 17, 2025.
What is DORA?
Dora is a regulation introduced by the European Union to improve the cybersecurity and operational resilience of financial entities in the EU. Much like NIS2, it aims to ensure financial institutions can withstand, respond to, and recover from all types of information and ICT-related disruptions and threats.
Why does DORA matter?
Businesses that fail to comply with DORA may face huge fines, suspension or limitation of operations, reputational damage, and increased supervision and monitoring. They will also be at increased risk of cyberattacks(nieuw venster).
As with the GDPR(nieuw venster), if your company is based outside the EU, it will still need to comply with DORA if it provides services to or operates within the European Union’s financial sector. DORA applies to all financial entities and third-party service providers that have significant operations or interactions with EU-based financial institutions (Article 2 (u) ).
So what should my organization do?
Proton’s suite of secure, encrypted tools can help your business avoid these penalties and protect your data. Let’s schedule a meeting(nieuw venster) to explore how Proton can simplify your DORA compliance and keep your business safe.
In this article, we look at how DORA will impact your business or organization and how Proton’s services can help it meet its compliance requirements.
- Who must comply with DORA?
- DORA obligations
- What are the penalties for non-compliance?
- Where to start your DORA compliance journey
- How Proton can help with DORA compliance
Who must comply with DORA?
DORA aims to create a harmonized framework for operational resilience in the EU financial sector. As such, it applies to a wide range of financial entities and ICT (information and communication technology) service providers that deliver critical digital services to financial institutions. The following types of entities are required to comply with DORA:
Financial entities
DORA applies to a broad spectrum of financial institutions operating in the EU, including:
- Banks: Traditional retail and investment banks, like BNP Paribas or Deutsche Bank
- Payment institutions: Companies offering payment services, including electronic money institutions (EMIs), like Paypal, Revolut, or Stripe
- Investment firms: Companies providing financial advisory services, wealth management, or other investment-related services
- Insurance and reinsurance companies: Providers of insurance products, such as life, health, or property insurance, plus reinsurance firms, like AXA or Allianz
- Credit institutions: Firms that extend loans or other forms of credit
- Asset managers: Entities managing portfolios of financial assets, including UCITS(nieuw venster) and alternative investment fund(nieuw venster) managers.
- Crypto-asset service providers (CASPs): Companies that facilitate services related to cryptocurrencies and other digital assets, like Coinbase or Kraken
- Securities exchanges and trading venues: Platforms where securities, commodities, and other financial instruments are traded
- Central counterparties (CCPs): Entities that interpose themselves between counterparties in a financial transaction to reduce the risk of default
- Central securities depositories (CSDs): Firms that provide the infrastructure for securities settlement and the safekeeping of securities
- Pension funds: Institutions managing retirement savings and payouts
Critical third-party ICT service providers
- Cloud service providers: Companies offering cloud infrastructure, platforms, or software services to financial entities, like Amazon Web Services
- Data centers: Firms providing data storage or processing infrastructure
- Cybersecurity providers: Companies delivering cybersecurity solutions, monitoring, and response services, like Crowdstrike
- Software vendors: Providers of critical software systems that are integral to the operations of financial institutions, like Microsoft
Outsourcing and ICT providers to financial entities
Any third-party technology service provider whose services are considered crucial to a financial entity’s operations must comply with DORA. This includes non-EU ICT service providers that deliver key services to financial entities in the EU, as DORA requires robust third-party risk management.
Financial market infrastructure firms
DORA covers firms that provide infrastructure for the smooth functioning of financial markets, including:
- Stock exchanges and other trading venues, like Euronext
- Trade repositories: Entities that collect and maintain records of derivative contracts
- Payment systems: Systems that facilitate the transfer of funds between financial institutions
- Clearing and settlement systems: Entities that ensure the settlement of transactions and reduce counterparty risk
Credit rating agencies
Entities responsible for evaluating the creditworthiness of issuers of securities or financial instruments, like Moody’s, must also comply with DORA’s operational resilience requirements.
Crowdfunding service providers
Crowdfunding platforms that operate in the EU and facilitate financial transactions between investors and project creators, like Indiegogo, are also covered by DORA.
Non-EU companies
As already noted, non-EU companies that interact with financial institutions operating in the EU will need to comply with DORA. Companies that are most likely to be affected include:
- ICT services providers to EU-based financial institutions (such as cloud computing, data storage, cybersecurity services, or software platforms)
- Financial institutions with a presence in the EU (such as branches, subsidiaries, or partnerships). For example, if a US-based bank operates in EU countries, its EU operations must follow DORA’s cybersecurity and operational resilience guidelines, even though the parent company is headquartered outside the EU.
- Service providers to EU-based financial institutions (for example, payment processors, IT systems, and fintech solutions).
- Providers of key technological infrastructure for financial institutions within the EU.
DORA obligations
DORA’s purpose is to ensure that financial institutions can withstand, respond to, and recover from significant ICT-related incidents, thus improving the overall resilience of the entire EU financial system against the growing danger of cyberthreats and digital disruptions. If your business is in the financial sector, you must meet the following requirements:
ICT risk management
Companies must develop and implement effective policies, processes, and governance structures to identify, manage, and mitigate ICT-related risks. They must regularly assess, document, and monitor internal and external ICT risks that could affect the integrity, security, and availability of information systems.
Any such assessments should include risks posed by reliance on third-party ICT providers, such as cloud providers, data centers, and fintech vendors.
ICT incident response and recovery
Once risks are identified, your company must implement appropriate technical and organizational measures to address these risks. This means ensuring it has robust incident recovery and business continuity plans in place to restore services quickly in case of disruptions.
Incident response and recovery procedures should be regularly tested through drills or simulations to assess their effectiveness and ensure readiness. You should inform stakeholders about all disruptions that might impact service availability, data integrity, or operations.
ICT risk monitoring and logging
Your company must implement robust mechanisms to continuously monitor its ICT systems, ensuring real-time detection of anomalies, vulnerabilities, or potential breaches. You should log results, allowing you to track events, access, and data integrity for forensic purposes in case of an incident.
Incident reporting
If a major incident happens (such as a cyberattack or system outage), your company must report it to the relevant authorities within a specified timeframe (as determined by each member state).
Resilience testing
Your company must conduct periodic tests of its digital operational resilience to ensure it can withstand a variety of ICT disruptions, including cyberattacks, system failures, and data breaches. This should include advanced threat-led penetration testing(nieuw venster) at least every three years, plus regular vulnerability assessments.
Governance and oversight
DORA requires board-level responsibility, meaning that senior management must oversee your company’s ICT risk strategies and ensure their implementation (where applicable: note that Article 1.2 specifically excludes “microenterprises” from the legislation).
You should clearly define the roles and responsibilities related to ICT risk management to ensure accountability across all relevant departments.
Information sharing
DORA encourages financial institutions to participate in information-sharing arrangements with peers and regulatory bodies to share knowledge of cyberthreats, vulnerabilities, and best practices.
Compliance with regulatory oversight
Companies are required to cooperate with relevant authorities by providing access to records, audit reports, and any necessary information related to operational resilience and ICT risks. You must follow guidelines issued by European Supervisory Authorities(nieuw venster) (ESA) and undergo periodic audits or reviews by regulators to ensure compliance with DORA.
Training and awareness
Your company should conduct regular training programs to raise awareness of cyber risks and ensure DORA compliance among staff.
Protect data integrity and availability
The confidentiality, integrity, and availability of sensitive financial and customer data must be protected using strong encryption, access controls, and other data protection measures. You should back up critical data regularly and put robust recovery capabilities in place.
What are the penalties for non-compliance?
Companies that fail to comply with DORA’s requirements may face significant penalties. EU member states will be individually responsible for implementing and enforcing these penalties, and the specific fines and sanctions may differ somewhat depending on local legislation.
However, the goal of DORA is to create a harmonized framework for operational resilience, meaning that non-compliance is likely to result in serious consequences across the EU. To this end, the ESAs play a critical role in overseeing the implementation, enforcement, and monitoring of DORA across member states.
Fines
Regulatory authorities have the power to impose fines. The amount of these fines can vary depending on the severity of the violation and the national implementation of DORA by each EU member state.
Suspension or limitation of operations
Companies that breach DORA repeatedly or in critical ways may find their activities suspended or restricted.
Increased supervision and monitoring
Non-compliant entities may face heightened scrutiny from regulatory authorities. This could include more frequent audits or a requirement to submit detailed reports on their digital operational resilience measures. Companies might also be forced to undergo additional penetration testing or other remedial steps under regulatory supervision to improve their resilience posture.
Liability for damages
Entities that fail to maintain the required level of cybersecurity and operational resilience may be held liable for damages caused by cyber incidents, data breaches, or operational failures.
Restrictions on use of non-compliant third parties
If your company relies on a non-compliant third-party ICT service provider, regulators could restrict you from continuing your engagement with that provider. Of course, the non-compliant third parties could also face penalties or restrictions of their own.
Where to start your DORA compliance journey
To start your DORA compliance journey, it’s essential to approach it methodically, ensuring that your organization addresses the various pillars of DORA’s requirements. By taking a systematic approach — starting with identifying your regulatory obligations and developing a plan for enhancing resilience — you can ensure that your organization meets the requirements of DORA and is protected against growing cyber threats and disruptions.
1. Identify if DORA applies to your organization: Determine whether your company falls under the categories specified by DORA, such as banks, insurance companies, payment institutions, asset managers, or third-party ICT providers (for example, cloud providers and cybersecurity services).
2. Assign internal responsibility: Create a dedicated team or appoint individuals responsible for managing DORA compliance. Ensure they have a good understanding of DORA’s requirements and regulatory implications. This team should include representatives from IT, risk management, legal, compliance, and business operations.
Note also DORA emphasizes that the board of directors and senior management must take responsibility for compliance, so ensure your leadership is aware of its obligations.
3. Assess current ICT and operational resilience: Conduct a gap analysis(nieuw venster) of your existing ICT risk management and operational resilience framework to identify gaps between your current practices and DORA’s requirements. It may be worth hiring external auditors or consultants to provide an objective view of your current state, and to help identify areas where improvement is needed.
4. Develop a comprehensive ICT risk management framework: This should include details on how you plan to identify, assess, and mitigate risks, and establish clear roles and responsibilities with specific roles and responsibilities assigned to key personnel to ensure that accountability for managing ICT risk is clearly defined across departments.
5. Establish or improve incident reporting procedures: This should include a system to classify incidents based on severity, to help ensure timely reporting of incidents to regulators and stakeholders.
6. Regularly test your resilience framework: This includes conducting vulnerability assessments to identify weaknesses and threat-led penetration testing to simulate real-world attacks and assess defenses. At minimum, testing should be performed annually and whenever major changes are made to your ICT systems.
7. Review and assess contracts with third-party ICT providers: Contracts with critical third-party providers should include service-level agreements(nieuw venster) (SLAs) covering operational resilience, provisions for incident reporting and data breach notifications, plus exit strategies in case of service termination or disruption. Before onboarding new third-party providers, conduct thorough due diligence to evaluate their resilience capabilities and ensure compliance with DORA’s requirements.
8. Establish communication with supervisory authorities: Keep your national competent authority(nieuw venster) (NCA) or the relevant European Supervisory Authority(nieuw venster) informed about your compliance efforts, significant incidents, and resilience plans. Make sure all compliance documentation, such as ICT risk assessments, incident reports, and testing records, is easily accessible, and be ready for regulatory audits and inspections.
9. Conduct regular training programs: DORA emphasizes the need for ongoing staff awareness to maintain a strong security posture, so create an organizational culture where resilience is a priority. Make sure all your employees understand the importance of cybersecurity and their role in ensuring the organization’s operational resilience.
10: Document everything: DORA requires detailed documentation of all ICT risk management and operational resilience activities. Keep records of risk assessments, testing results, incident reports, and third-party provider evaluations. This documentation will be crucial during audits and inspections.
To learn more about how to keep your business secure, please consult A Practical Guide to Security for Growing Businesses, our comprehensive security ebook by cybersecurity expert and Head of Security at Proton, Patricia Egger.
How Proton can help with DORA compliance
Although DORA doesn’t explicitly mandate specific encryption standards in any one section, it addresses the protection of data and information security throughout the act. With encryption being a commonly accepted measure to ensure the confidentiality, integrity, and availability of sensitive data, the need for strong encryption is implicit throughout the Act — notably under the broader umbrella of ICT risk management (Article 6), and frequent reference to “the highest Information security standards” throughout the document.
Proton is an industry-standard leader in cybersecurity and cyberprivacy, with certifications such as ISO 27001(nieuw venster). As with the GDPR(nieuw venster), HIPAA(nieuw venster), and the NIS2 Directive(nieuw venster), our Proton for Business(nieuw venster) and Proton VPN for Business(nieuw venster) plans offer an increasingly comprehensive suite of secure privacy services that can help your organization comply with the DORA in several key ways:
Encryption and data confidentiality
Proton offers end-to-end encryption(nieuw venster) E2EE) for its Proton Mail(nieuw venster), Proton Dive(nieuw venster), Proton Pass(nieuw venster), and Proton Calendar(nieuw venster), ensuring that sensitive information such as client data, financial reports, and internal communications is protected from unauthorized access. E2EE aligns with DORA’s implicit data security requirements in ensuring the confidentiality and integrity of financial data.
Where E2EE isn’t used (for example, when sending an email to a non-Proton account), our zero-access encryption model(nieuw venster) ensures Proton itself can’t decrypt the data. This can help your company meet its obligation to secure data from internal and external threats, which is a core component of DORA’s ICT risk management requirements.
Secure communications
DORA emphasizes strong ICT risk management, including securing communications between financial institutions, their clients, and third parties. Proton Mail provides a secure email platform that encrypts email content and attachments, reducing the risk of interception or unauthorized access during transmission.
Proton Calendar can help your company to securely organize and manage internal and external meetings, safeguarding sensitive information such as strategic discussions or client data.
Proton’s services align with GDPR requirements for protecting personal data, which dovetails with DORA’s broader emphasis on safeguarding data and ensuring that operational resilience is maintained, particularly in the face of incidents or cyberattacks.
Incident response and continuity plans
DORA requires organizations to ensure they have backup and recovery plans in place as part of their operational resilience strategy. Proton Drive can assist with this, as it provides encrypted cloud storage to ensure critical financial data and documents are securely backed up and can be quickly recovered in the event of a disruption.
Proton provides secure redundancy across our high-availability server network. So your data is always safe with us, and available for rapid recovery of data under any eventuality.
DORA also emphasizes the importance of safeguarding remote access to systems and data. With ProtonVPN for Business’ dedicated servers(nieuw venster), your company can provide secure, encrypted, segmented access to all its onsite and SaaS resources, thus greatly mitigating the risk of unauthorized access or of data being intercepted.
Third-party risk management
As a secure ICT service provider, Proton can help your organization manage its third-party risks by offering services that comply with the highest standards of security. DORA requires financial institutions to carefully vet their third-party ICT providers, ensuring these providers have robust security and resilience measures in place.
Proton’s industry-standard security and privacy-first approach makes us a trusted third-party service provider(nieuw venster) for entities that need to protect sensitive information. All our products’ open source(nieuw venster), and we regularly commission independent audits so you can be confident that they are secure..
Reporting and transparency
Proton regularly publishes transparency reports(nieuw venster) that provide insights(nieuw venster) into how we handle data and respond to law enforcement requests. This aligns with DORA’s focus on incident reporting and transparency. If an incident affecting data security occurs, Proton’s transparency practices can help organizations meet DORA’s incident reporting requirements to national competent authorities.
How using Proton aligns with DORA’s key requirements:
DORA requirement | Proton’s solutions |
ICT risk management | End-to-end encryption, zero-access encryption, secure data storage and communication |
Data confidentiality and integrity | All our services use strong encryption to protect sensitive data |
Third-party risk management | GDPR compliance and robust privacy practices make Proton a trusted third-party provider |
Incident reporting | Transparency reports and secure communication platforms support timely incident response |
Operational resilience and testing | Encrypted backups and services contribute to digital operational resilience |
Secure communication | Proton Mail, Proton VPN, and Proton Calendar ensure secure internal and external communication across organizations |
Discover how Proton can help you with your DORA journey.