Kayla Underkoffler
Lead Security Technologist

DORA: What You Need to Know


The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that was enacted in January 2023 and will apply to regulated entities as of January 2025. Digital Operational Resilience refers to the ability of financial entities to maintain IT security and withstand operational disruptions. The act is aimed at strengthening the IT security of financial organizations in the EU and ensuring that they can stay resilient in the event of a cyberattack or other severe operational disruption. 

DORA focuses on Information and Communications Technology (ICT) systems and applies to all financial institutions in the EU. This includes traditional entities such as banks, insurance companies, investment firms, and credit institutions, as well as non-traditional entities like crypto firms and crowdfunding platforms. The regulation also extends to ICT third-party service providers, including cloud service providers and data centers. Although DORA is an EU regulation, any organization that works with EU-covered entities must maintain compliance, regardless of its physical location.

DORA regulations can be grouped into three core concepts: 

  • ICT Risk Management: Regulated organizations must have a documented ICT risk management framework that ensures a high level of operational resilience, including regular testing.
  • Incident Management: Organizations must have an ICT incident management process for the detection, remediation or resolution, and notification of ICT-related incidents.
  • Supply Chain Security: Organizations must manage ICT third-party risk as an integral part of their risk management framework.

In addition to these requirements, DORA encourages, but does not require, information sharing among covered parties.

The regulations in DORA are similar to those in the Network and Information Security (NIS2) Directive. Both DORA and NIS2 share the common goal of ensuring cyber resilience, though their target sector definitions differ, with some overlap, especially in the financial sector. While NIS2 has a wider scope, DORA imposes more demanding requirements for security testing. Since financial institutions fall under the scope of both DORA and NIS2, they must comply with both regulations.

Why DORA and Why Now?

The financial sector is becoming increasingly dependent on internet technology as well as fintech (financial technology) and non-financial technology companies to deliver financial services.  With this increasing dependence comes the increasing risk of cyberattacks and other service disruptions. In 2023, the number of cyberattacks on European financial services more than doubled, and the average cost of a cyberattack on entities in the financial sector worldwide was a staggering $5.9 million.

With today's distributed systems and the interconnected nature of financial operations, disruptions can easily spread across national borders. Before DORA, there was no unified program across the EU to strengthen digital operational resilience of its financial institutions and third-party service providers. DORA strengthens and harmonizes the ICT risk management regulations that already exist in EU member states, and establishes a universal framework for managing and mitigating IT risk in the entire financial sector. 

DORA and Pentesting

It is in every ICT organization’s vital interest to identify and resolve or remediate vulnerabilities in their IT systems and applications before they can be exploited by bad actors. DORA requirements include regular testing for operation stability, and threat detection and response. Pentesting, the simulation of a cyberattack under near, or actual real-world conditions is perfectly suited for this task. It is a critical tool for satisfying DORA requirements. 

DORA requires two levels of testing.  All regulated entities must perform digital operational resilience testing at least annually for systems and applications supporting important functions to detect vulnerabilities and weaknesses, and to validate security controls in place. DORA also mandates threat-led pentesting (TLPT) at least once every three years, which focuses on specific threats for the most important financial operations as designated by authorities in each country. 

In addition to detecting vulnerabilities in ICT systems before they can be exploited, pentesting can also be deployed in application development to check for vulnerabilities before they are installed, improving the organization’s overall security posture. It can also be used to improve overall resilience by giving the organization an opportunity to react to a cyberattack in a test situation, rather than in an actual cyber event.

Satisfy DORA Requirements with HackerOne’s Comprehensive Security Testing Solutions

HackerOne offers a comprehensive suite of security solutions designed to help financial services organizations meet DORA compliance requirements. Our portfolio includes CREST-accredited Pentest as a Service (PTaaS) model, Code Security Audits, Bug Bounty programs, and Spot Checks. This integrated approach aligns perfectly with DORA's mandates for regular and comprehensive ICT risk assessment and management, as outlined in Articles 24 and 25.

At the core, HackerOne Pentest provides a detailed, methodology-driven approach to security testing conducted by heavily vetted security researchers. In accordance with DORA Article 24(1), our pentest services help organizations establish, maintain and review a sound and comprehensive digital operational resilience testing program as an integral part of the ICT risk-management framework. Each pentesting engagement with HackerOne delivers detailed reports and attestations, providing documented evidence of DORA compliance efforts. This aligns with the need for "internal validation methodologies" as mentioned in Article 24(5).

Our pentesting services are complemented by:

  • Code Security Audits (CSA): HackerOne CSA service addresses DORA Article 25(1)'s requirement for "source code reviews where feasible." Conducted by over 600 vetted senior software engineers, these audits provide a comprehensive view of your codebase's security posture, identifying vulnerabilities that automated tools might miss.
  • Bug Bounty Programs: HackerOne Bounty offers continuous, human-powered security testing, aligning with DORA Article 24(6)'s mandate for yearly testing of "all ICT systems and applications supporting critical or important functions." This always-on approach ensures your systems are constantly tested against new and emerging threats.
  • Spot Checks: As part of our Bug Bounty offering, Spot Checks allow for quick, flexible testing iterations. This capability supports DORA Article 25(1)'s call for "vulnerability assessments and scans, open source analyses, network security assessments, gap analyses," and other appropriate tests.

HackerOne’s human-powered, continuous approach ensures that organizations can meet DORA's requirements for a "range of assessments, tests, methodologies, practices, and tools" as specified in Article 24(2). By leveraging HackerOne's global network of security experts, including EU-based professionals specializing in DORA requirements, organizations can ensure their security measures are thoroughly evaluated against both DORA standards and broader EU regulatory expectations.

By integrating HackerOne's security testing solutions into their DORA compliance strategy, organizations are empowered to meet the required digital operational resilience standards while demonstrating a proactive, risk-based approach to cybersecurity. This comprehensive strategy significantly enhances their credibility with regulators and ensures ongoing resilience in the face of evolving ICT risks.

The Ultimate Guide to Managing Ethical and Security Risks in AI

AI Ebook