Share This:


In many places, DORA (Designated Outdoor Refreshment Area) means you can walk the streets in designated areas with an adult beverage. But in cybersecurity circles, DORA has a completely different meaning.

Landmark legislation aims to ensure digital operational resilience

Managed service providers (MSPs) with clients in the financial services sector should pay close attention to this legislation, as the bill explicitly states that it applies to critical third parties (MSPs fall under this category) providing ICT (information communication technologies)-related services to financial entities. The European Parliament passed the landmark piece of legislation known as the Digital Operational Resilience Act (DORA), in late 2023, and it will take effect in January 2025. This is so organizations, cybersecurity specialists, and MSPs have plenty of time to comply with the new legislation.

The bill says that it creates a regulatory framework on digital operational resilience, whereby all firms need to make sure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

“In other words, before this, it was like the ‘wild west’ with a patchwork of solutions, software, and reporting if there was a breach in the financial services sector. Now there are specific criteria and infrastructure that these entities need to have in place,” explains Stan Snyder, an independent IT consultant in New York City who has clients in Europe also.

You can read the full text of DORA.

Some key requirements

  1. Robust ICT risk management: DORA establishes a mandatory framework for managing ICT risks. Financial institutions must identify vulnerabilities, implement safeguards, and continuously monitor their systems. This will make it harder for cyber attackers to exploit weaknesses. “This is a big step, and MSPs with financial clients will need to have a framework in place. MSPs will be expected to take the lead on implementation in many cases,” Snyder asserts.
  2. Improved incident response: DORA requires institutions to have plans for detecting, responding to, and reporting cybersecurity incidents. This will enable them to react faster to breaches and minimize damage. “The mandatory reporting is a big deal; a breach can no longer be contained and swept under the rug; there has to be reporting of the breach,” Snyder says.
  3. Enhanced third-party security: DORA also applies to critical third-party providers. This means companies supplying ICT services to financial institutions will also strengthen their security standards. “This part of the legislation is aimed directly at MSPs and others in the ecosystems. They essentially don’t want a bank to be able to have a breach and then wash their hands of it and blame the third-party provider,” notes Snyder. He adds that this part of DORA is good for the bank and the MSP. Banks can’t just blame an MSP if there is a breach.
  4. Information sharing: DORA encourages collaboration between financial institutions in sharing threat intelligence. This will help them stay informed about the latest cyber threats and develop more effective defenses. “Overall, DORA is a comprehensive set of regulations that will make the E.U.’s financial sector more resilient to cyberattacks. By improving ICT risk management, incident response, and third-party security, DORA will make it more difficult for cybercriminals to disrupt financial services,” Snyder says.

Expect stiff penalties for non-compliance

If it has teeth, any legislation has penalties, and DORA is no different. Although, the law doesn’t get into specifics. One can infer financial penalties, and the bill states, “Those penalties and measures shall be effective, proportionate, and dissuasive.”

Further emphasizing that the penalties will likely be financial, the bill says the penalties can be “pecuniary, to ensure that financial entities continue to comply with legal requirements.”

“Financial penalties are a language that financial institutions understand, so you can believe that, depending on the violations, financial penalties will be stiffly meted out,” explains Snyder.

The bill also leaves the door open for criminal charges if events warrant.

A domino effect

Snyder notes one of the most promising aspects of DORA goes beyond the legislation and into the “domino effect.” The entire ecosystem around the financial services sector strengthens cybersecurity. “In essence, DORA creates a domino effect where stronger cybersecurity within financial institutions leads to a more secure environment for all businesses they interact with,” he says.

That is a win for everyone. Stay tuned here for more guidance as the implementation of DORA approaches. MSPs in the United States should follow much of DORA’s framework.

“U.S. companies that do business with European entities will have to follow DORA. We also know that once a landmark law is passed in one place, it tends to get duplicated elsewhere. Being prepared is prudent. It’s only a matter of time before a version of DORA comes to the USA,” Snyder estimates.

Photo: Tijana Moraca / Shutterstock

Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *