The National Bank of Romania (BNR) recently emphasized that the Digital Operational Resilience Act (DORA) extends beyond the financial sector, poised to impact the entire network of service providers connected to financial institutions. Compounding this inherent complexity is the tight implementation deadline, with DORA set to take effect on January 17, 2025 — just a few months from now.

BNR also cautions that all affected entities will fall under the scrutiny of European authorities such as the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA), through collaborative efforts involving both national and international financial supervisory teams.

 

 

The Digital Operational Resilience Act (DORA) is a regulatory framework established by the European Union to bolster the cybersecurity resilience of financial services institutions. Enacted in 2022 and coming into force in January 2025, EU Regulation 2022/2554 mandates that financial organizations enhance their operational resilience against disruptions such as cyberattacks, prioritizing recovery and continuity over traditional detection and protection methods. By setting rigorous standards for managing information and communication technology risks, incident reporting, resilience testing, and oversight of third-party service providers, DORA ensures that Europe’s financial sector can sustain business continuity during and after significant operational disruptions.

 

The need for DORA is undeniable. In 2024, nearly all financial institutions in Romania were hit by a wave of phishing and DDoS attacks. In March, these attacks took down the websites of BCR, Banca Transilvania, and Alpha Bank, while in June, even BNR and the Bucharest Stock Exchange were reportedly targeted. In response, the European Commission, through DORA, imposes stringent requirements to help financial organizations prevent such incidents. DORA sets uniform standards for the security of financial entities’ networks and IT systems, as well as for their critical ICT service providers. The regulation’s core goal is to enhance the digital operational resilience of the EU financial sector, ensuring that institutions can effectively manage and recover from severe operational disruptions and cyber threats.

By harmonizing existing ICT risk regulations across EU member states, DORA creates a cohesive framework for risk management, addressing gaps and inconsistencies in national regulations. It requires financial institutions and their ICT service providers to implement technical standards by 2025, aiming to prevent cross-border service disruptions and safeguard the entire European financial system.

 

DORA is considered an extension of the NIS 2 Directive (Network and Information Security) tailored specifically for EU financial entities. In Romania, the National Cybersecurity Directorate (DNSC), in collaboration with the National Bank of Romania (BNR) and the Financial Supervisory Authority (ASF), will act as the designated authorities under DORA.

 

Scope of Application: Entities Required to Comply with DORA Standards

 

DORA encompasses a broad range of financial entities, including banks, payment service providers, electronic money institutions, investment firms, crypto-asset service providers, and EU-regulated third-party ICT providers. As outlined by the Financial Supervisory Authority (ASF), the regulation also applies to central securities depositories, central counterparties, trading venues, alternative investment fund managers, management companies, data reporting service providers, insurance and reinsurance companies, insurance and reinsurance intermediaries, ancillary insurance intermediaries, occupational pension providers, critical benchmark administrators, and crowdfunding service providers. The regulation provides for also specific exceptions, with special clauses that are outlined in the official DORA documentation.

 

Regulatory Requirements

 

The regulation customizes requirements according to the size of the entities, ensuring that smaller organizations are not held to the same stringent standards as larger financial institutions. DORA mandates technical requirements for financial entities and ICT service providers in five critical areas:

1. Management and Governance of ICT-related risks: DORA mandates that ICT management be a direct responsibility of the financial entities’ leadership. Senior management is required to establish and implement effective ICT risk management strategies; otherwise, they will be held personally accountable. The regulation requires financial entities to develop a comprehensive IT risk management framework, which includes: mapping systems, identifying and classifying critical assets/functions, backup and recovery procedures, and ongoing risk assessments. These assessments involve business impact analyses across various risk scenarios. Entities must also implement cybersecurity measures such as identity and access management, patch management, threat detection, and response systems, as well as operational continuity plans.
2. Incident management and reporting: Entities subject to DORA are required to implement systems for monitoring, managing, recording, classifying, and reporting ICT incidents. In the case of major incidents (with significant impact on networks/information systems), entities must report the situation to both authorities (DNSC in Romania) and affected clients and partners. For critical incidents, three types of reports are necessary: an initial report to notify authorities, an interim report detailing progress in resolving the incident, and a final report analyzing the root causes of the cybersecurity incident. European authorities are working on creating standardized models for simplified reporting.
3. Operational resilience testing: Financial organizations are required to conduct regular testing of their ICT systems to identify vulnerabilities, with results and remediation plans reported to the relevant authorities. Basic tests, such as vulnerability assessments, and scenario-based tests must be performed annually. Furthermore, critical large financial entities must undertake threat-led penetration testing (TLPT) every three years, involving essential technology and communications providers. Technical standards for TLPT are currently under development, with expectations to align with the TIBER-EU framework for ethical red-teaming.
4. Third-party risk management: DORA extends to ICT service providers that support financial entities. Organizations must negotiate contracts that stipulate audit rights and performance metrics related to accessibility and security. Contracts with non-compliant providers are not permitted, and authorities have the power to suspend or terminate such agreements. The European Commission is considering standardized contractual clauses. Additionally, financial entities must avoid over-reliance on a single provider or a small group of providers for critical functions and maintain a comprehensive register of all IT service agreements.
5. Exchange Information: While DORA promotes the exchange of cybersecurity threat information among financial entities, it does not mandate it. Such collaboration should occur through established, trusted networks and formal agreements. All relevant information must also be reported to the competent authorities.

 

Penalties

 

Each member state will set its own rules for administrative sanctions, which must be effective and proportionate (aligned with the organization’s size) and may include:

• Issuing orders to halt illegal activities and prevent their recurrence;
• Temporarily or permanently ceasing non-compliant practices;
• Imposing fines of up to 2% of the entity’s total global annual turnover;
• Requesting relevant data records in cases of suspicion;
• Issuing public notices detailing the identity of the entity and the nature of the violation.

For example, if a Romanian bank uses a third-party cloud computing service to store and manage customer data, DORA requires the bank to ensure that this provider adheres to stringent cybersecurity standards. This entails not only implementing internal protective measures but also actively verifying and monitoring the cloud provider’s security protocols. In the event of a cyberattack that compromises client data, the bank must act swiftly to report the incident and demonstrate that it has a robust response plan to mitigate the impact. Should the third-party provider fail to meet DORA’s stringent standards, the bank may be required to either switch providers or implement additional security measures.

In conclusion, while DORA’s requirements may incur additional costs for financial entities, the long-term benefits are substantial. Enhanced protection and increased client trust in the stability and security of these institutions are significant advantages. Embracing these measures not only strengthens security but also positions financial organizations more competitively. It enables them to better manage risks and swiftly adapt to technological innovations in the sector. As the regulatory landscape continues to evolve, staying ahead of compliance requirements will be crucial for maintaining operational integrity and securing a competitive edge.

 

How you can partner with Datanet for DORA compliance

 

While the directives set forth by DORA are not entirely new, their implementation demands a multidisciplinary approach, encompassing both technological solutions and various departments (IT, Security, and Operations).

Datanet Systems provides comprehensive support in developing a strategy and action plan for DORA compliance. Our team of experts offers guidance throughout the entire process, including both consulting and technical expertise for implementation. Our portfolio features solutions from leading global vendors and addresses all operational requirements necessary for DORA alignment. Additionally, we have executed numerous projects to enhance cybersecurity for organizations across the financial, banking, and non-banking sectors.

For more information on developing a compliance plan for DORA, please contact us at sales@datanets.ro.