The DORA (Digital Operational Resilience Act) regulation will come into force on 17 January 2025, imposing new requirements on EU financial entities to strengthen their digital operational resilience.

‍

Key calendar

• Entry into force: January 16 2023
• Date of application: January 17, 2025

‍

Who is concerned?

This regulation applies to a wide range of players in the financial sector, without being exhaustive, here are the main categories:

• Credit institutions : National Commercial Banks, Cooperative and Mutual Banks, Online Banks, Specialized Credit Institutions
• Investment firms : Brokerage Firms, Trading Firms, Market Firms, Trading Platforms
• Insurance companies : Life Insurance, Damage Insurance, Reinsurers, Mutual Insurance
• Market infrastructures : Stock Exchanges, Clearing Houses, Central Depositaries, Settlement and Delivery Systems
• Fund managers : Portfolio Management Companies, Alternative Fund Managers, UCITS Managers, Private Equity Managers
• Crypto service providers : Cryptocurrency Exchanges, Digital Asset Custody Services, Stablecoin Issuers, Digital Wallet Providers
• Critical ICT providers : Cloud Computing Providers, Data Hosting Services, Security Service Providers, Payment Solutions

‍

Why DORA?

DORA (Digital Operational Resilience Act) was adopted by the European Commission as part of its digital finance strategy.

This regulation responds to the financial sector's growing dependence on digital systems and third-party services, by establishing a unified framework for managing IT risks.

‍

DORA in clear

This regulation harmonizes approaches to IT risk management and imposes common requirements in terms of cybersecurity, incident management, resilience testing and the management of third party ICT service providers.

‍

1. Computer security

The organization must maintain an exhaustive inventory of its IT resources and identify critical systems.

A program of periodic checks must be established, accompanied by precise performance indicators and a preventive maintenance schedule.

2. Incident Management

The notification procedure requires an alert within 2 hours for any major incident, followed by a preliminary report within 24 hours and a complete file within 30 days.

Critical incidents (interruption >30 minutes, data compromise, cyberattacks) require immediate reporting to the competent authorities.

3. Test program

The institution must conduct regular security assessments of critical applications and validate business continuity plans.

Crisis simulations and recovery tests must be carried out periodically, with validation by independent auditors.

4. Management of service providers

A rigorous evaluation of service providers is required, including the analysis of their financial strength and security arrangements.

Continuous monitoring of their performance must be ensured, complemented by annual audits and a documented reversibility plan.

5. Protective devices

The infrastructure must incorporate enhanced authentication and strict access management.

Sensitive data needs to be encrypted, the network architecture secure, and a robust backup system in place. Ongoing monitoring of the systems is mandatory.

‍

Possible sanctions

• Up to 2% of annual turnover
• Compliance injunctions
• Possible suspension of activity
• Publication of sanctions

‍

Identity and strong authentication with DORA

With regard to authentication, the DORA regulation imposes specific requirements on financial entities to strengthen the security of their systems. Here are the main specificities:

1. Establishment of strong authentication mechanisms : Businesses must implement protocols and procedures relating to strong authentication mechanisms.

2. Access rights control policy: A detailed policy should be developed, documented, and implemented to manage access to ICT assets.

This policy should include:

• Allocation of access rights based on the principles of need to know, need to have, and least privilege, including for remote access and emergency access.
• A segregation of duties to prevent unwarranted access to critical data.
• User liability provisions, limiting the use of generic or shared accounts.
• Account management procedures for granting, modifying, or revoking access rights.

3. User identification: Businesses must ensure that users are identifiable at all times for actions carried out in ICT systems.

4. Access restrictions: Controls and tools should be in place to prevent unauthorised access to ICT assets.

5. Physical access control: Measures should be taken to control physical access to ICT assets.

‍

For more information or assistance in your DORA compliance, do not hesitate to contact us.

Financial firms should prepare now for DORA, the new European digital resilience regulation, as bringing it into compliance by January 2025 requires significant changes in their systems and processes.

ShareID meets these regulatory requirements thanks to its strong MFA 3.0 authentication and its ZTZKP (Zero Trust Zero Knowledge Proof) technology.

Our solution secures data exchanges without storage and with advanced encryption, allowing precise access control while ensuring compliance with DORA standards.

Do not hesitate to contact us to find out more about supporting your compliance.

‍

‍