DORA regulation – what it is and its significance for identity verification

On January 17, 2025, the DORA regulation came into effect, impacting identity verification processes in the financial sector. DORA aims to enhance digital operational resilience by standardizing security and digital risk management requirements. In this article, we will explore the changes introduced by the DORA regulation, what it is, and its consequences for financial institutions and their customers in terms of identity verification.

What You Will Learn from This Article:

• DORA regulation: what it is and who it applies to
• DORA regulation and identity verification
• Summary

DORA regulation: what it is and who it applies to

The Digital Operational Resilience Act (DORA) is a key piece of legislation by the European Union designed to strengthen the digital operational resilience of the financial sector. The regulations aim to protect financial institutions from increasing cybersecurity threats, which is especially crucial in the era of sophisticated cyberattacks.

The European Parliament and Council Regulation (EU) 2022/2554 defines regulatory frameworks for ICT risk management, incident reporting, and system testing within financial institutions. The primary goal of the regulation is to enhance digital operational resilience, meaning financial institutions must adapt their systems and procedures to meet new cybersecurity requirements. Importantly, the Polish Financial Supervision Authority is responsible for ensuring compliance with the DORA regulation. Failure to implement the necessary changes may result in financial penalties.

Five pillars of the DORA regulation

DORA is based on five fundamental pillars that are essential for the financial sector:

1. ICT risk management – Financial institutions must implement appropriate strategies and procedures for managing risks related to information and communication technologies.
2. Incident reporting – Institutions are required to regularly report significant security incidents to relevant supervisory authorities.
3. Digital resilience testing – Regular testing of systems and procedures to assess their resilience to cyber threats.
4. Risk management for external ICT service providers – Institutions must ensure the resilience of ICT service providers and effectively manage their relationships.
5. Cyber threat information sharing – Financial entities should share information on cyber threats to improve overall security.

Who does the DORA regulation apply to?

Now that you understand the main principles of the DORA regulation, it’s important to know who must comply with it. DORA applies to a broad spectrum of financial market participants in the European Union, including:

• Credit institutions
• Investment firms
• Payment service providers
• Insurance companies
• Entities managing financial market infrastructures (e.g., stock exchanges, crypto-asset service providers)
• Providers of critical digital services for the financial sector, including cloud service providers and cybersecurity firms

DORA requires these institutions to implement risk management procedures and ensure business continuity, which is crucial for financial stability within the EU. Each institution must establish strategies, policies, procedures, and mechanisms aimed at minimizing cyber risks that could impact their operational stability.

DORA regulation and identity verification

The DORA regulation aims to strengthen financial institutions’ resilience to cybersecurity threats. One crucial aspect of ensuring security is identity verification. Why is this area so important in the context of DORA?

Identity verification is essential for securing access to critical systems and data. In practice, this means that financial institutions must implement technologies ensuring that access to critical systems, including transaction systems, is restricted to authenticated and properly verified users. Strong authentication methods and data encryption support compliance with DORA requirements and reduce the risk of unauthorized access.

Additionally, DORA mandates that institutions must have incident response procedures in place. In the event of a security breach, identity verification plays a crucial role in regaining access to systems and restoring normal operations. It also ensures that only authorized individuals can perform necessary recovery actions.

To meet DORA requirements, institutions must implement appropriate cyber risk management technologies and procedures. Identity verification can help protect against threats such as phishing and brute-force attacks, which aim to gain unauthorized access to user accounts.

Identity verification measures may include:

• Multi-level authentication (e.g., multi-factor authentication – MFA)
• Access rights management (determining who has access to which resources)
• Access monitoring and auditing (recording and analyzing login attempts and user activities)

Summary

In this article, we provided key information about the DORA regulation, explaining what it is and why identity verification is an important aspect in its context. Understanding and implementing DORA requirements are crucial steps for financial institutions that want to enhance their resilience to cyberattacks and ensure the security of their operations and customer data.

Would you like to learn more? Contact us! Our experts will answer all your questions and help you choose the right identity verification system. Also, check out what an electronic signature is and how it can support compliance with DORA.