​Europe’s​​​ ​​Digital Operational Resilience Act (DORA): Strong authentication requirements for financial institution​ employee​s

Frederik Mennes,

In recent years, the European Union (EU) has significantly stepped up its efforts to increase ​cybersecurity ​within European governments and businesses through legislation. For example:

  • The Cybersecurity Act (2021) became applicable and established a European cyber security certification framework for information and communication technology (ICT) products, services, and processes.
  • The revised Network and Information Security (NIS2) directive, which aims to raise the overall ​cybersecurity​ level of government agencies and businesses in critical sectors, will become applicable in October 2024.
  • The Cyber Resilience Act (CRA), which mandates that products with digital elements are only made available on the market if they meet specific ​cybersecurity​ requirements, is expected to receive formal approval at the beginning of 2024.

An additional EU regulation is the Digital Operational Resilience Act (DORA), which addresses ​cybersecurity​ concerns in the ​financial services ​sector. This EU regulation will become applicable in January 2025.

In this blog, we explore DORA and specifically the requirements related to strong authentication of members of the workforce of financial ​​​services ​institutions.

For a more detailed explanation, listen to this webinar where our experts guide you through the most important aspects of DORA compliance, including key requirements related to strong customer authentication, compliance timelines, and how the regulation will be enforced.

How to comply with NIS2 and DORA

How to comply with NIS2 and DORA

Listen to expert guidance on the impact of EU cybersecurity regulations, key requirements, and how organizations can prepare.

Watch now

What is DORA?

The DORA regulation intends to increase the digital operational resilience of the ​financial sector.​ It is a response to the escalating ​cyber threats​ that companies operating in the ​financial sector​ — and their ICT-related services vendors – face. DORA defines rules on ICT risk management, ICT incident management and reporting, operational resilience testing, and the management of ​ICT third-party risks​.

What does the DORA regulation mean?

DORA is a regulation, which means it applies directly in each member state without the need for transposition into the domestic legislation of each country. With the DORA regulation, the same requirements apply in each member state.

DORA is accompanied by eight Regulatory Technical Standards (RTS), two Implementing Technical Standards (ITS), and four other policy products, which specify the requirements of DORA in more detail. These are currently under development by ​​​​​​European ​​​supervisory authorities​ (​ESAs) including ​EBA, EIOPA, and ESMA​, ​for the ​financial sector​. Examples of the RTS are as follows:

  • RTS on (simplified) ​ICT risk management framework​, which aims to harmonize the policies, procedures, methods and tools used for risk management. They prescribe the development of security policies and procedures in 10 areas, namely ICT asset management, encryption & cryptographic controls, ICT project management, acquisition, development and maintenance of ICT systems, physical and environmental security, human resources, identity management, access control, ICT-related incident management, and ICT business continuity.
  • RTS on criteria for the classification of ​ICT-related incidents​, which specify the criteria and approach for the classification of major ​ICT-related incidents​, the materiality thresholds of each classification criterion, the criteria and thresholds to be applied when classifying significant ​cyber threats​, and the criteria for competent authorities to assess the relevance of incidents to other competent authorities.
  • RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (TPPs), which specifies parts of the governance arrangements, risk management, and internal control framework that financial entities should have in place regarding the use of ICT third-party service providers.

Finally, it is worth noting that DORA’s requirements related to third-party service providers build heavily on the EBA’s Guidelines on Outsourcing Arrangements from 2019.

Who does DORA apply to?

DORA's jurisdiction spans the European Economic Area, encompassing the 27 EU member states, alongside Iceland, Lichtenstein, and Norway.

It targets two main types of entities:

  • Financial market participants, such as banks, payment service providers, investment firms, insurance and reinsurance providers, securities depositories, credit rating agencies, crypto-asset service providers, and crowdfunding platforms.
  • Third-party technology providers that deliver products and services to ​financial sector​ institutions, including cloud service providers, data center providers, critical Independent Software Vendor (ISV) and systems integration providers, among others.

General cybersecurity measures under DORA

DORA defines rules in the following areas:

  • ICT risk management
    • Responsibilities for ICT management are designated to the company's management.
    • Financial entities are mandated to establish a comprehensive ICT Risk Management Framework, continually monitored through key performance indicators and risk metrics.
  • ICT incident management and reporting
    • Covered entities must set up systems for monitoring, managing, logging, classifying, and reporting ICT-related incidents.
    • Detailed rules on incident classification, reporting requirements, and timelines are in the pipeline.
  • Resilience testing and intelligence sharing
    • Annual advanced security tests on critical ICT systems and applications.
    • Prompt elimination of vulnerabilities via mitigating measures.
    • Periodic advanced penetration testing, with mandatory participation and cooperation from ICT service providers.
    • Encouragement for entities to participate in threat intelligence sharing arrangements.
  • Third-party risk management
    • Negotiation of contractual arrangements with third-party providers, covering exit strategies, audits, and performance targets.
    • Mapping of third-party ICT dependencies.
    • Direct oversight from authorities for critical ICT third-party service providers.

Strong authentication of workforce members in the spotlight

Now, let's focus on a specific component of DORA's defense mechanism – authentication.

Article 9 of DORA specifically addresses the importance of strong authentication. It requires covered entities to:

Implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, […] based on results of approved data classification and ICT risk assessment processes.

In other words, DORA means entities need to perform a risk assessment of their ICT assets and processes, and decide where strong authentication is required to lower the risk level. Strong authentication, including protection against phishing, applies to the members of the workforce (e.g. employees, contractors) of the covered entities. Authentication of customers of ​financial institutions​ is addressed in another legislation, namely the revised Payment Services Directive (PSD2).

Article 22 of the final draft RTS on (simplified) ​ICT risk management framework ​develops the authentication requirements in more detail. It states:

Financial entities shall develop, document and implement a policy […] including all the following:

i.    the use of authentication methods commensurate to the classification and overall risk profile of ICT assets and considering leading practices;

ii.    the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or that are publicly accessible.

The RTS stresses the importance of performing strong authentication of workforce members in case of remote access to the company’s network (e.g. via a Virtual Private Network or VPN), privileged access (e.g. access with administrative privileges), and access to ICT assets supporting critical or important functions.

While DORA does not provide a definition of what constitutes “strong authentication,” it does require multi-factor authentication (MFA), meaning the user demonstrates their identity using an authentication mechanism that generates one-time, dynamic authentication codes. This strong authentication mechanism is typically built from at least two authentication elements that are taken from three possible authentication categories, namely the possession category (something only the user has, such as a hardware token), the knowledge category (something only the user knows, like a password or PIN) or the inherence category (something only the user is, or a biometric characteristic such as a fingerprint or face scan).

From a security best practices perspective, we recommend phishing-resistant MFA mechanisms that offer full protection against phishing attacks. Phishing-resistant authentication methods generate authentication codes that are useless to fraudsters, and are typically implemented using authentication protocols standardized by the FIDO Alliance.

When does DORA go into effect?

DORA entered into force on 16 January 2023 and applies across the European Economic Area as of 17 January 2025.

The RTS and ITS follow a timeline different from the overall DORA timeline. On 17 January 2024, the supervisory authorities submitted the first batch of RTS and ITS to the Commission for adoption, with the second batch expected by 17 September 2024. Following the adoption, the RTS and ITS will be subject to scrutiny by the European Parliament and the Council and then will be published in the Official Journal of the European Union. This regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Achieving compliance with DORA

DORA emerges as a pivotal force in fortifying the ​cybersecurity​ landscape of the ​financial sector ​within the European Economic Area. The regulation's emphasis on ICT risk management, ​incident reporting​, digital operational resilience testing, and third-party risk management underscores a holistic approach to ​cybersecurity​ governance.

DORA also encompasses authentication, particularly strong authentication for the workforce members of covered entities. Financial ​​​entities​​ should ensure they equip their workforce with modern, user-convenient authentication technology to achieve compliance with DORA. Phishing-resistant authentication technology based on FIDO standards is a natural choice.

DIGIPASS FX1 BIO by OneSpan helps companies comply with changing regulations like DORA by enabling a phishing-resistant passwordless solution. Learn more about OneSpan’s authentication offerings.

Digipass FX1 BIO Device

DIGIPASS FX1 BIO: Phishing-resistant, passwordless authentication for a secure workforce

Protect your workforce and safeguard data and applications from attacks with our latest FIDO authenticator with fingerprint scan.

Learn more

Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.