Everything You Need to Know About the Digital Operational Resilience Act (DORA)

What is DORA?

The Digital Operational Resilience Act (DORA), formally known as Regulation (EU) 2022/2554, was created to address a significant gap in EU financial regulation. Prior to DORA, financial institutions managed risks by setting aside funds to cover potential losses. However, this approach overlooked ICT-related risks, such as cyberattacks, IT failures, and other technical disruptions.

DORA was introduced to tackle this issue and ensure organisations in the financial sector can maintain resilience in the face of technology-related threats. The act mandates that companies adopt strict measures to protect against ICT risks, focusing on protection, detection, containment, recovery, and repair.

What are the 5 Pillars of DORA Regulation?

Under DORA, financial sector businesses must comply with the following five pillars:

1. ICT Risk Management
   Organisations must create and maintain a comprehensive plan for managing all ICT risks within their operations.
2. Incident Reporting
   Businesses must set up clear processes to monitor, report, analyse, and log significant ICT-related incidents.
3. Digital Operational Resilience Testing
   Regular testing of ICT systems is required to ensure they can withstand both current and emerging cyber threats.
4. Third-Party Risk Management
   Organisations must assess and manage the risks associated with third-party ICT service providers.
5. Information Sharing
   Organisations are encouraged to share insights and data related to ICT risks and incidents to foster collaboration and build a stronger overall ICT resilience in the financial sector.

Who Does DORA Apply To?

DORA applies to all companies in the financial sector that rely on ICT systems to conduct their business, including banks, insurance companies, investment firms, payment service providers, and more.

The leadership of each organisation is required to oversee the implementation of ICT risk management frameworks, ensuring their company remains resilient against technology-related disruptions. This also involves staying informed about emerging ICT risks and ensuring proper governance.

When Will DORA Be Implemented?

DORA officially came into effect on January 16, 2023, and businesses must be fully compliant by January 17, 2025. Organisations have been given a two-year transition period to implement the necessary changes and ensure they meet all regulatory requirements.

How is DORA Enforced?

European Supervisory Authorities (ESAs) are responsible for enforcing DORA and have the authority to impose penalties for non-compliance. These penalties can reach up to 2% of an organisation’s annual global turnover, with individuals facing fines up to €1 million for failing to comply with the regulations.

What You Should Have Prepared for DORA

With DORA already in effect, organisations should have the necessary measures in place to be fully compliant by the January 17, 2025, deadline. If you’re still working on your compliance plan, here are the key areas you should have already prepared:

1. Establish an ICT Risk Management Framework
   • Identifying critical assets and the risks associated with them
   • Implementing protective measures like firewalls, encryption, and continuous monitoring
   • Regularly updating your risk management framework to stay ahead of emerging risks
2. Set Up Incident Reporting Processes
   • Defining the types of incidents and creating reporting channels
   • Establishing clear incident response protocols
   • Training staff to handle ICT incidents effectively and refining procedures based on feedback
3. Test ICT Systems Regularly
   • Conducting penetration tests and simulating cyberattacks to identify weaknesses
   • Reviewing your protocols to ensure you can respond to emerging threats
4. Set Up a Third-Party Risk Management System
   • Evaluating third-party ICT service providers to ensure they can handle all risks
   • Ensuring secure backup and recovery processes with third-party providers to meet DORA requirements
5. Establish a Clear Governance Structure
   • Designating roles and responsibilities for managing ICT risks
   • Ensuring leadership is actively involved in monitoring and responding to risks

How Does DORA Affect Data Backups?

DORA’s Article 12, Section 3 outlines the backup, restoration, and recovery requirements for financial entities. To comply with DORA, EU businesses must be able to:

• Restore backups to a different physical or logical location
• Ensure immutable backup data so that backups cannot be modified or corrupted

This applies to all data, no matter where it is stored, not just servers and desktops. For organisations that rely on cloud-based SaaS apps, the best way to achieve this is through a third-party backup solution that offers independent, secure storage for your data.

BackupVault – Helping You Stay Compliant with DORA Data Backup Requirements

BackupVault is your partner in achieving DORA compliance, offering secure, encrypted backup solutions for servers, VMs, desktops and popular SaaS applications like Microsoft 365, Google Workspace, and other cloud platforms. Here’s how BackupVault helps you stay compliant:

• Independent, Secure Backup Storage:
  BackupVault stores your data in ISO-certified UK-based data centres, giving you full control over your backup location and access.
• Immutable Backups:
  Our backup solutions are immutable, meaning your data is protected from any changes or corruption, ensuring full compliance with DORA.
• Easy Restoration:
  BackupVault makes it easy to restore your data quickly and reliably, both physically and logically, whenever needed.
• 24/7 UK-Based Support:
  Our expert support team is available around the clock to help with setup, recovery and compliance questions—giving you peace of mind when it matters most.

With BackupVault, you can rest assured that your data is not only secure and compliant with DORA but also easily accessible whenever you need it.

Get Started with BackupVault Today

Don’t wait until the deadline approaches. Start preparing for DORA compliance now. Sign up for a free 14-day trial of BackupVault and see how our secure and compliant backup solutions can keep your data safe and accessible – no matter what.