The Digital Operational Resilience Act (DORA) is a landmark regulation introduced by the European Union (EU) to strengthen the cybersecurity and operational resilience of the financial sector. Enacted on January 16, 2023, DORA will apply to financial entities and their ICT service providers starting January 17, 2025.

DORA establishes a unified framework for managing digital risks, ensuring financial organisations, including banks, insurers, investment firms, and other entities can operate securely through disruptions. Covering 20 categories of financial entities and their third-party providers, the act sets clear, consistent requirements to safeguard critical systems and protect against cyber threats.

Previous efforts to strengthen the financial sector against cyber threats, like those from the Financial Conduct Authority (FCA), have been criticized as fragmented and overly complex.

In contrast, the Digital Operational Resilience Act (DORA) offers a unified, practical framework that simplifies and enhances cybersecurity and digital resilience for financial institutions.

Email and domain protection are critical components of preparing for DORA, as nearly 90% of cyberattacks originate from weaknesses in email security. One of the most common and damaging threats is Business Email Compromise (BEC), a targeted phishing attack often enabled by domain spoofing that saw over 50% growth in the last year within the financial sector.

These attacks often take the form of Vendor Fraud or CEO Fraud which threatens business continuity and operational resilience daily. Often what makes these successful is ‘domain spoofing.’ This is when a cybercriminal impersonates a business’ domain to send phishing emails to its customers, employees, and supply chain. The fake emails are hard for the recipient to spot because they come from a legitimate email address.

Moreover, the use of phishing by bad actors resulted in the highest levels of malicious traffic for the financial sector according to research conducted by CISCO, at 46%.

The data is clear, securing your email and domain security will help achieve compliance with DORA. Organisations impacted by DORA will need to take action and implement security measures which include:

1. Securing email – the primary communication medium

Email remains the dominant medium for business communication, with over 333 billion emails sent every day in 2022, making it a prime target for cyberattacks such as BEC. DORA stresses the criticality of protecting financial institutions' communications channels, including the recommendation of adopting email security measures like Domain-Based Message Authentication, Reporting, and Conformance (DMARC). These measures support compliance with DORA’s broader mandate to mitigate cyber risks and enhance digital resilience while protecting against domain spoofing and ensuring the authenticity of email communications.

2. Recognising and mitigating identifiable threats

Since 2015, the Federal Bureau of Investigations (FBI) has consistently flagged BEC as a top threat vector in its IC3 Internet Crime Report. Under DORA, financial entities must treat BEC as a “reasonably identifiable circumstance” and take proactive steps to mitigate its risks.

DORA requires organisations to identify and address reasonably identifiable circumstances that could compromise digital operational security. Given the prevalence of BEC attacks, financial entities are expected to proactively implement safeguards against such threats, including advanced email authentication protocols and employee training programs.

3. Detecting anomalies and suspicious  activities

To comply with DORA, financial institutions must establish mechanisms to promptly detect anomalous activities, such as suspicious email patterns and domain misuse. Implementing continuous monitoring tools and anomaly detection systems is essential to identify and respond to potential cyber threats in real-time.

A key defense against BEC is implementing a strong DMARC policy—ideally configured at p=reject. This ensures that unauthorized emails attempting to spoof your domain are blocked outright, protecting sensitive data, financial assets, and your organisation’s reputation.

Properly configured and managed DMARC safeguards organisations from phishing and BEC by making it significantly harder for them to spoof legitimate domains for phishing and other email-based attacks, thereby raising costs on attackers and further securing organizations. Recognised by the National Institute of Standards and Technology (NIST), and endorsed within DORA’s framework, DMARC provides a proven solution for achieving compliance and enhancing email security.

In addition to implementing DMARC, organisations can further mitigate BEC and related disruption through: 

• Ensuring a proactive email security framework 
• Investing in continuous monitoring tools to ensure control over outbound emails
• Make use of security awareness training
• Using spoof domain recognition to stop attacks before they happen

A reasonably identifiable circumstance arises from any widely recognised vulnerability, exposure, or cyber threat. It is considered identifiable if a credible, independent authority explicitly highlights the risk to your business, providing clear notice of its potential impact. This could include common vulnerabilities or significant threats flagged by trusted cybersecurity experts or organisations.

Thanks to DORA, businesses will be enabled to make better decisions as DORA highlights what they need to do in one place, and leaves nothing out. What’s more, by complying with the provisions outlined in DORA, businesses may expect more predictable outcomes while becoming more resilient to cyberattacks and other ICT threats. Other benefits of this European parliament legislation include:

• Enhanced stability and security across supply chains
• Improved planning and execution of exit strategies
• Stronger ability to defend against and respond to attacks
• Increased protection against opportunistic cybercriminals
• Defense in the event of an attack
• Reduce business disruption and protect continuity

DORA applies to two main groups of businesses.

The first group includes financial entities involved in managing, transferring, holding, insuring, investing, protecting, or raising funds, and those evaluating investments. This encompasses:

• Banks
• Auditors and Audit Firms
• Investment Firms
• Management Companies
• Credit Institutions
• Insurance & Reinsurance Firms
• Brokers
• Credit Rating Agencies
• Crowdfunding Platforms
• Trading Venues
• Trade Repositories
• Crypto-Asset Service Providers

The second group covers ICT third-party service providers that support the financial sector with software solutions, but not hardware. These include but are not limited to:

• Account Information Service Providers
• Central Counterparties
• Cloud Computing Services
• Central Securities Depositories
• Credit institutions
• Credit Rating Agencies
• Crowdfunding Service Providers
• Crypto-Asset Providers
• Data Analytics Providers
• Data Centers
• Data Reporting Service Providers
• Electronic Money Institutions
• Insurance and Reinsurance
• Insurance Intermediaries
• Investment Firms
• Management Companies (Assets)
• Managers of Alternative Investment Funds
• Payment Institutions
• Providers of Digital and Data Services
• Software Developers
• Trade Repositories
• Trading Venues
• Third Party Service ICT Providers
• Third Party ICT Vendors

• Identify and assess their digital operational risks.
• Implement appropriate measures to mitigate their digital operational risks.
• Report certain digital operational incidents to their national competent authorities.
• Cooperate with their national competent authorities in the event of a digital operational incident.

• Designating a senior manager responsible for digital operational resilience.
• Providing their customers with information about their digital operational resilience.
• Undergoing regular assessments of their digital operational resilience.

Compliance with DORA is not optional for businesses operating in or serving the EU financial sector. The regulation places direct responsibility on an organisation’s board and executive members to implement robust measures to mitigate cyber risks and safeguard operational resilience.

Failure to address risks, particularly those identified as reasonably identifiable circumstances, can result in severe consequences which include:

Penalties can reach up to 2% of a company's total annual global turnover, or 1% of an entity's average daily turnover.Individuals and entities could face fines up to €1.000.000. The exact penalty amount will depend on the severity and nature of the DORA violation. The European Supervisory Authorities (ESAs) are responsible for compliance and penalties.

In short, no. However DORA aligns with the NIST Cybersecurity Framework 2.0 (CSF) in a number of important ways. Both frameworks emphasize the importance of:

• Identifying and assessing cybersecurity risks: DORA requires organizations to identify and assess their cybersecurity risks, and the NIST CSF calls for organizations to do the same.
• Implementing appropriate controls: DORA requires organizations to implement appropriate controls to mitigate their cybersecurity risks, and the NIST CSF recommends that organizations do the same.
• Monitoring and responding to cybersecurity incidents: DORA requires organizations to monitor their systems for cybersecurity incidents and to respond to incidents promptly and effectively, and the NIST CSF calls for organizations to do the same.
• Continuous improvement: Both DORA and the NIST CSF emphasize the importance of continuous improvement in cybersecurity practices.

In addition to these general similarities, DORA also aligns with the NIST CSF in a number of specific ways. For example, both frameworks call for organizations to:

• Establish a cybersecurity risk management program: DORA requires organizations to establish and maintain a cybersecurity risk management program, and the CSF recommends that organizations do the same.
• Appoint a senior officer for cybersecurity concerns: DORA requires organizations to designate a senior executive to oversee the organization's cybersecurity program, and the CSF recommends that organizations appoint a CISO or other senior-level executive to do the same.
• Conduct cybersecurity training for employees: DORA requires organizations to provide cybersecurity training to their employees, and the CSF recommends that organizations do the same.
• Report cybersecurity incidents to the appropriate authorities: DORA requires organizations to report cybersecurity incidents to the relevant authorities, and the CSF recommends that organizations do the same.

A critical part of preparing for DORA starts with securing your email systems, and one of the most effective ways to achieve compliance is through robust DMARC implementation. Red Sift OnDMARC gives you full control of your outbound email communications and insight into your digital estate.  With its intuitive, cloud-based dashboard, you can easily manage DMARC, DKIM, and SPF records without the need to navigate DNS settings.

OnDMARC helps organisations address key DORA requirements by:

• Implementing a proactive email security framework: OnDMARC provides a clear pathway to achieving DMARC p=reject, ensuring unauthorised emails are blocked in order to protect your business from BEC and phishing.
• Streamlining oversight: OnDMARC offers visibility into your outbound emails, helping you monitor and resolve issues quickly.
• Pinpointing suspicious activity: Powered by machine learning, OnDMARC’s forensic reporting feature delivers relevant and granular information about your sending sources, enabling you to pinpoint and solve issues quickly. 

Learn more about OnDMARC’s full benefits and prepare for DORA by signing up today!

The following organisations have set our guidance concerning DORA and how it may impact your business:

• United Kingdom government (GOV.UK)
• European Insurance and Occupational Pensions Authority
• Digital Operational Resilience Act
• National Institute of Standards and Technology (NIST)