What is the Digital Operational Resilience Act (DORA)?

0% read

Related Articles

What is Federal Risk and Authorizations Management Program (FedRAMP)? Embracing Zero Trust: A New Approach to Cybersecurity

What is DORA?

Financial institutions and organisations are often a major target of malicious hackers looking to gain access to sensitive data. According to FS-ISAC, financial organisations saw a 64% increase in ransomware attacks in 2024. Given the large amount of sensitive information these organisations have to manage, it’s imperative that effective measures are taken to safeguard systems and networks. 

In November 2022, the European Parliament and the Council of the European Union (EU) adopted the Digital Operational Resilience Act (DORA). The regulation aims to enhance the operational cyber resilience of the financial sector and other critical industries against information and communication technology (ICT)-related risks. It establishes a comprehensive framework for managing ICT risks and aims to ensure the continuity of essential services in the event of disruptions caused by cyberattacks, technical failures or natural disasters. The DORA regulation took effect on 17 January 2025.

Who has to comply with the DORA regulation?

The regulation applies to financial entities and other organisations in the EU, including:

  • Credit institutions
  • Investment firms
  • Payment institutions
  • E-money institutions
  • Insurance undertakings
  • Reinsurance undertakings
  • Collective investment undertakings
  • Central securities depositories
  • Third-party ICT providers to financial entities
  • Organisations handling financial transactions
  • Healthcare companies handling sensitive data

In addition, certain entities outside the EU may also be subject to DORA if they provide critical services to financial entities in the EU.

Consequences of Non-Compliance with the DORA Regulation

Organisations that fail to comply with the DORA regulation may face significant consequences, including:

  • Financial penalties: Regulatory authorities may impose substantial fines on non-compliant organisations. The exact amount of fines will depend on the severity of the violations and the size of the organisation.
  • Reputational damage: Non-compliance with DORA can damage an organisation’s reputation and make it less attractive to customers, investors and partners.
  • Operational disruptions: Failure to comply with DORA can lead to operational disruptions, such as downtime and data breaches, which can result in lost productivity, financial losses and legal liability.
  • Loss of market access: In some cases, non-compliant organisations may be prohibited from operating in certain markets or jurisdictions.

Overall, organisations should take DORA compliance seriously and allocate the necessary resources to ensure they meet the requirements of the regulation.

DORA and Cyber Resilience

DORA places a heavy emphasis on enforcing security measures to ensure that EU financial organisations can withstand and recover from cyberattacks. These attacks are becoming increasingly sophisticated and frequent, can have a significant impact on financial organisations and the economy as a whole and disrupt the essential services that many people rely on during their day-to-day lives. When building cyber resilience, it’s important to remember that efforts in preventing breaches should be just as important as the protections and procedures that take place after a breach has happened. 

Choosing the correct security testing solutions is critical. Automated scanners and methods like traditional pentesting can’t keep up with today’s threats and can delay the vulnerability remediation process and leave patches unresolved, leaving organisations vulnerable to cyberattacks. Even without the requirements in the DORA regulation, organisations, regardless of industry, should always strive for an effective, robust cybersecurity program. 

The Five Pillars of DORA

What are the five pillars of the DORA regulation? The breakdown includes:

  • ICT Risk Management: Involves identifying, assessing and prioritizing risks that could impact an organisation’s ICT systems. 
  • ICT-related Incident Reporting: Under DORA, ICT-related incidents that have a significant impact on the financial entity’s operational continuity must be reported to the relevant authorities. The reporting requirements are based on the severity of the incident and the entity’s size and importance.
  • Digital Operational Resilience Testing: Organisations are required to test their ICT systems and assess the effectiveness of their security measures. 
  • ICT Third-Party Risk Management: The risk management of third-party vendors is also a requirement for DORA. 
  • Information Sharing: Organisations are stronger when they collaborate on cyber threats, potential risks and threat intelligence, which is why information sharing amongst financial companies is highly encouraged. 

DORA Requirements for Testing

DORA has established a set of stringent testing requirements that organisations must adhere to, underscoring the necessity for regular testing and red teaming operations to proactively identify and mitigate vulnerabilities. This means threat-led penetration testing (TLPT) at least every three years, as well as source code reviews, vulnerability assessments and scans, open source analysis, scenario-based testing and end-to-end testing and penetration testing. Annual tests are also being thrown into the mix, highlighting requirements for the testing of all ICT systems and applications that support critical functions. 

By implementing these testing requirements, organisations can significantly enhance their ability to identify and address vulnerabilities, thereby reducing the risk of security incidents and ensuring compliance with DORA regulations.

Meet Compliance and Build Cyber Resilience with Synack

A good cyber resiliency strategy starts with the right solutions. As stated in Article 24(1), organisations must “establish, maintain and review a sound and comprehensive digital operational resilience testing program.” 

Synack is CREST-certified and offers various security testing solutions that can aid financial services companies and third-party service providers with their DORA compliance and build resilience. These include:

Highly Vetted and Skilled Security Researchers: Unlike other security testing providers, not everyone can create an account and become a member. To officially join the Synack Red Team (SRT), our community of skilled security researchers, applicants are verified for their trust and skill. This process averages six months and includes an in-depth, five-step vetting process. 

Our community of security researchers come from various backgrounds and industries, hailing from countries like the United States, Australia, New Zealand, the United Kingdom and Canada. All of them bring something different to the table, with some specializing in AI/LLM vulnerabilities and others being experts in XSS attacks. It’s this range of skills that sets the SRT apart from the competition.

Code Audits: A source code review is a systematic examination of computer source code to find bugs, security vulnerabilities and other problems. It is a quality assurance activity that can also improve code quality, readability, maintainability and knowledge sharing among developers.

Synack provides static code analysis across a wide variety of languages including C++, Python, Java and many more. Our source code review can help your organisation save on potentially costly unaddressed risks and remediate risks in a timely manner.

Pentesting: Penetration testing is an important part of any organisation’s security strategy. It can help to identify vulnerabilities that could be exploited by attackers, and it can also help to improve the organisation’s security posture by identifying and fixing security weaknesses.

Synack provides scalable, continuous and point-in-time penetration testing for your cloud, APIs, web apps, host infrastructure, mobile and AI/LLMs. Powered by our Penetration Testing as a Service (PTaaS) platform, our security researchers work to discover critical vulnerabilities before malicious hackers get the opportunity.  

Red Teaming: Red teaming is a simulated cyberattack on an organisation’s systems and networks by a team of security experts. The goal of red teaming is to identify vulnerabilities that could be exploited by real attackers and to test the organisation’s ability to respond to a cyberattack.

Synack provides red teaming as a one-time or continuous service to identify security risks from a near side, external or internal perspective using the specialized skills of the SRT. By emulating a real-world attack, organisations can easily test the effectiveness of their security controls or network against a specific adversarial objective.

Bug Bounty: A bug bounty program is a type of security testing methodology where rewards are given to individuals who report vulnerabilities in their systems and applications. 

The Synack Platform features the best aspects of bug bounty. Our PTaaS platform powers the SRT and uses an incentivized model, similar to standard bug bounty programs. However, we handle the payments for the organisations, operating at a fixed-firm price. Organisations get all the benefits of bug bounty without the hassle of payouts, which can eat up a large portion of an organisation’s valuable cybersecurity budget.

Vulnerability Disclosure Program (recommended): A Vulnerability Disclosure Program (VDP) is a formal program that allows security researchers and ethical hackers to report vulnerabilities to organizations. The goal of a VDP is to encourage responsible disclosure of vulnerabilities so that they can be fixed before they are exploited by malicious actors. While not mandated by DORA, implementing a VDP would support the recommendation of having a robust vulnerability management system. 

At Synack, we take on end-to-end management of your VDP for you, providing a white-glove option for responsible disclosure that relieves a lot of the administrative burden from busy security teams by handling vulnerability triage with remediation guidance, coordinating researcher recognition, delivering data to support reporting and communicating with researchers. 

Why the Synack Platform Stands Out

The Synack Platform provides continuous security testing with attack surface discovery and vulnerability management capabilities that empower organisations to identify assets, launch rigorous tests, discover vulnerabilities and efficiently address them in a timely manner. 

By utilizing actionable, real-time analytics, customizable reporting and root cause analysis of vulnerabilities, security teams can adopt a proactive approach to cybersecurity, learning from past vulnerabilities and fortifying their systems against future threats. This proactive methodology enhances resilience and an organisation’s ability to recover swiftly from exploitable weaknesses.

Get Started

If you’re interested in learning more about how Synack can help your organisation with its DORA compliance, request a demo today.

Learn more about the Synack Platform

Contact Us