The EU's Digital Operational Resilience Act (DORA) marks a shift in cybersecurity regulation, from a focus on preventing cyber-attacks to also ensuring the ability to recover quickly and effectively from them – a concept that is commonly called cyber resilience.
DORA was adopted in November 2022 as part of the EU’s 2020 Digital Finance strategy, which laid out the ambition for Europe to become a digital single market for financial services.
It aims to improve the resilience of the financial sector to operational disruptions, such as cyber-attacks.
Wide Scope
According to Jean-Philippe Gaulier, co-founder of Cyberzen, DORA was adopted in response to the EU regulators' concerns that the financial sector was not doing enough to mitigate cyber threats.
“Specifically, EU regulators were probably not thinking of big banks and insurance companies when drafting this bill, as they are among the best-prepared companies in the world to prevent and recover from cyber-attacks, but rather of other, perhaps less regulated institutions that play a role in modern financial services,” he told Infosecurity.
Therefore, DORA applies to a wide range of financial institutions, including banks, insurance companies, investment firms, cryptocurrency exchanges and trading platforms, as well as their critical third parties.