If you work in the financial sector, you need to know about DORA. Here you can find out what the new EU regulation means for your company or organisation and what important role system hardening plays in this.
What is DORA?
The acronym “DORA” stands for “Digital Operational Resilience Act”. This European Union regulation aims to strengthen digital operational resilience across the financial sector. It is designed to ensure that financial institutions such as banks and insurance companies are able to protect their IT systems and digital processes from cyber threats, to recover quickly from security incidents.
When is DORA “valid”?
The regulation (specifically: Regulation (EU) 2022/2554) was adopted by the European Parliament and the Council of the European Union on 14 December 2022. DORA has been applicable since January 17, 2025. This means that from this date, the institutions and companies concerned must implement the requirements in practice.
But there are exceptions: “There is a transitional period for some institutions. They do not have to fully apply DORA until January 1, 2027. This is regulated by the KWG, the German Banking Act,” explains Jens Obermöller in a German interview.
The Head of Division, IT Supervision Group at BaFin (Bundesanstalt für
Finanzdienstleistungsaufsicht / Federal Financial Supervisory
Financial Services Supervision), continues: “After the transitional period, we will also repeal the BAIT [Bankenaufsichtliche Anforderungen an die IT / banking supervisory requirements for IT] in full. Who exactly is affected and which DORA requirements must be met and when has been defined in the German Finanzmarktdigitalisierungsgesetz (Financial Market Digitization Act).”
Why is DORA needed?
With the increasing digitalisation and networking in the financial sector, the risk of cyber attacks and IT failures is growing. These can endanger not only individual institutions, but also the stability of the entire financial system.
The Digital Operational Resilience Act was therefore introduced to create a uniform framework for digital resilience in the financial sector, which is intended to improve prevention, detection, response and recovery in the event of disruptions and threats.
All organisations and companies affected by DORA must therefore take appropriate technical and organisational measures to minimise the risks of a cyber security incident. In addition, any possible compromises must be reported and eliminated without delay.
Which companies does DORA apply to?
The European regulation on digital resilience in the financial sector applies to a wide range of companies and organisations, for example
-
- credit institutions
- payment service providers
- investment firms
- providers of crypto services
- trading venues
- transaction registers
- insurance and reinsurance companies
- crowdfunding platforms
- IT service providers that work for the companies mentioned above
The Digital Operational Resilience Act does not apply to, for example
-
- post office giro institutions in accordance with Directive 2013/36/EU
- micro-enterprises or SMEs in the field of insurance mediation
- institutions for occupational retirement provision with fewer than 15 members
What do IT Managers need to be aware of regarding DORA?
If you are responsible for the IT systems of a company that has to comply with the Digital Operational Resilience Act, you will have to implement, optimise and constantly monitor the following measures, among others:
Extended IT risk management
DORA requires you to implement a comprehensive risk management framework that assesses existing risks and includes preventive and reactive measures. You must ensure that risks are continuously identified, assessed, monitored and mitigated.
You also have to develop guidelines and procedures that increase the resilience of your systems to a wide range of cyber threats.
Increasing resilience
When implementing DORA, you must take measures to make your IT system landscape more robust against cyber attacks. This includes reducing the attack surface by deactivating unnecessary services, implementing strict access controls, professional patch management and encrypting sensitive data.
In other words, make sure that your systems are better protected – for example, by System Hardening.
Testing digital operational resilience
DORA requires you to regularly demonstrate the resilience of your IT systems. To do this, you must check your systems and processes using a range of tests, including anomaly detection and penetration testing. These tests are designed to uncover vulnerabilities and verify the effectiveness of your response and recovery plans.
As the person responsible for IT, you are responsible for ensuring that these tests are carried out at appropriate intervals and that the results are used to continuously improve security measures.
Reporting and transparency
The European cybersecurity regulation for the financial sector also emphasises the importance of reporting. According to DORA, you must be able to report significant cybersecurity incidents immediately in order to enable a rapid response and mitigation.
This requires the establishment of efficient communication channels and reporting mechanisms within your organisation and to the supervisory authorities.
Managing third-party risks
Many companies and organisations work closely with IT service providers to overcome the many challenges they face. However, there are risks associated with this cooperation. You therefore need to ensure that the contracts with third-party providers contain appropriate security requirements.
You also need access, inspection and audit rights to verify compliance with these requirements. This is the only way to find out how well your service provider is working.
Promoting cybersecurity
The Digital Operational Resilience Act aims to promote the internal exchange of information and the development of cybersecurity knowledge. They therefore have to create awareness and understanding of security risks among employees. Training and regular information campaigns are crucial to ensuring that security guidelines are followed.
What does DORA mean for System Hardening?
The new EU regulation creates a legal framework aimed at strengthening the digital resilience of your financial institution. System Hardening plays a central role in this framework, as it directly contributes to increased resilience against numerous cybersecurity threats.
Specifically, DORA addresses various issues, some of which we would like to present here as examples:
DORA example 1: SectionVI – Network Security (Art. 13 RTS RMF)
In point 71 in the “Network Security” section, it says:
“Secure configuration baselines, network hardening, and session termination after inactivity limit potential attack vectors.”
This can be freely translated as: “System Hardening reduces the potential (…) attack surface.”
DORA example 2: Article 11 RTS RMF – Data and System Security
This area is particularly interesting because it not only refers to the one-off application, but also to the regular monitoring of leading standards. The wording is as follows:
“The data and ICT system security procedure referred to in paragraph 1 shall include all of the following elements related to data and ICT system security, in accordance with the classification performed pursuant to Article 8(1) of Regulation (EU) 2022/2554:
(a) the access restrictions, in line with Article 21, supporting the protection requirements for each level of classification;
(b) identification of secure configuration baseline for ICT assets that will minimise their exposure to cyber threats and measures to verify regularly that these baselines are those that are effectively deployed. The secure configuration baseline shall take into account leading practices and appropriate techniques referred to in standards (..)”
Update: BaFin implementation notes
On 8 July 2024, BaFin published on its German website the implementation guidelines for DORA.
In our view, BaFin has once again made it very clear with this publication that the actual technical situation must be brought into line with the paper/document situation to a much greater extent than before.
The following is an example of the wording used:
“(…) for the area of operational information security in DORA, it can be seen that the level of detail of the requirements is significantly higher than previously described in Chapter 5 of the BAIT/VAIT. The level of detail corresponds more to the explanations of the BAIT/VAIT as minimum requirements (..)”
For System Hardening, it is clearly stated that “(..) hardening measures are taken and these are regularly checked (..)”
“Protection” as the top priority – that applies to everyone!
You must implement preventive measures to minimise IT risks – this is not only required by DORA, but also recommended by the NIST Cybersecurity Framework.
By hardening your system, you can reduce the attack surface by removing or disabling insecure or unnecessary services, functions and applications, for example. This ensures that many attacks cause no or very little damage.
Implementing robust access controls
Access control is an essential component of System Hardening. DORA expects you to implement strict control mechanisms to ensure that only authorised persons have access to sensitive systems and data.
It is important that you detect (configurational) changes as quickly as possible, whether intentional or not. A tool such as Enforce Administrator is suitable for monitoring access controls and system configurations.
🛠 Enforce Administrator: more information
Regular security assessment
You need to conduct regular audits to identify and fix vulnerabilities in your systems. This includes checking how secure your systems are configured.
With a programme like Enforce Administrator, you can carry out the necessary checks and create evidence for individual systems in just a few minutes.
The hardening reports (“Security Configuration Assessment”) provide you with a transparent and comprehensible overview of the extent to which your operating systems and applications are hardened in accordance with the requirements of CIS, DISA, ACSC, BSI and Microsoft.
How Enforce Administrator fulfills the DORA requirements
This overview shows you the requirements of the Digital Operational Resilience Act in the area of “Secure Configuration” and “System Hardening” and how the Enforce Administrator meets these requirements:
|
DORA findings |
Enforce Administrator solutions |
|
Nothing works in the financial sector without Secure Configuration or System Hardening. |
Enforce Administrator ensures continuous, automated hardening of your IT systems. |
|
Self-devised security configurations are a thing of the past. Established standards must be used. |
With Enforce Administrator, your systems are hardened according to the latest standards – for example, according to the recommendations of CIS, DISA, BSI, ACSC and Microsoft. |
|
Measures that control the actual implementation of the configuration are extremely important. |
A core function of the Enforce Administrator is the independent monitoring of systems and centralized reporting. |
|
DORA demands clear and comprehensible documentation of the measures taken. |
Recognized reporting, for example for audits, can be created with the Enforce Administrator at the touch of a button. |
|
All these measures are extremely difficult and very time-consuming to implement with Windows group policies. |
Enforce Administrator does not work on the basis of GPOs, but with PowerShell scripts. As it is a no-code tool, you do not have to write a line of code yourself. |
Conclusion
At first glance, it may seem annoying that the European Union has issued another regulation that will mean more work for companies and their IT departments. But DORA, like other regulations, laws and standards (for example, GDPR, NIS2 and ISO27001), makes perfect sense!
All players in the financial sector are of eminent importance for the stability of the basic order of state entities and institutions, and their IT systems must therefore be protected as best as possible – not just once, but on an ongoing basis. You can achieve this resilience against cyber attacks and their consequences by implementing System Hardening, among other things.
Can we help you?
Would you like to know how you can professionally implement an (automated) system hardening in your company? Talk to us – our System Hardening experts are glad to help!
Image: Freepik