Understand DORA In 4 Questions and How To Automate Vendor Compliance With AI

Written By: Gizem Toprak
Contributor: Müzeyyen Gökçen Tapkan

1. What Is the Digital Operational Resilience Act (DORA)?

Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that aims to improve the cybersecurity and operational resilience of financial institutions. DORA builds on existing laws, such as the NIS Directive and GDPR, to close gaps in digital risk management.

It aims to increase the operational resilience of the EU’s financial sector in the face of increasing digitalization and a growing number of cyber threats.

We can list the main goals of DORA as follows:

1. ICT Risk Management Ensuring financial institutions have robust mechanisms to manage Information and Communications Technology (ICT) risks throughout their operational life cycle.
2. Digital Operational Resiliency Testing Requiring financial institutions to conduct regular and rigorous testing of their ICT systems and processes. The purpose of this test is to evaluate their ability to withstand cyber attacks and other ICT disruptions.
3. Incident Reporting Standardized incident reporting mechanisms that enable financial entities to quickly and efficiently report significant cyber threats and incidents to regulatory authorities, facilitating a coordinated response to cyber risks.
4. ICT Third-party Risks Address the risks associated with the increasing reliance on third-party ICT service providers, including cloud services. DORA aims to ensure that financial entities can effectively manage and mitigate risks stemming from their dependencies on external providers.
5. Consumers and Preserving Financial Stability Protect consumers and the integrity of the financial system by minimizing the impact of ICT disruptions and ensuring that financial entities can maintain continuous operation and service delivery.

2. What is Third-Party Risk Management (TPRM) Under DORA?

Third-Party Risk Management under the Digital Operational Resilience Act (DORA) is a critical component designed to address and mitigate risks arising from financial institutions’ dependence on third-party Information and Communications Technology (ICT) service providers, cloud services, software providers, and Fintech providers. This aspect of DORA aims to ensure that the financial sector is not compromised by the failure or deficiencies of external service providers.

3. Why Must Your Company Comply With DORA?

More than 21,000 EU financial institutions, such as banks, credit companies, and ICT third-party service providers, will be required to comply with DORA by 2025.

Financial institutions and ICT service providers outside the EU will also be required to comply with this regulation if they provide critical ICT transactions to EU financial institutions. Failure to comply with DORA imposes strict financial penalties for non-compliance. Violations can result in fines of up to 2% of an institution’s total annual global revenue or 1% of its average daily global revenue. Both individuals and companies could face fines up to €1,000,000. Critical third-party ICT service providers, essential to financial entities, could be fined even more heavily—up to €5,000,000 or €500,000 for individuals who fail to meet DORA’s rigorous standards. Requirements will be enforced proportionately, which means smaller entities will not be held to the same standards as major financial institutions.

4. What Does Black Kite Do for DORA Compliance?

1. Unlike other frameworks that have readily available control lists, DORA is not straightforward. To create a control list from DORA, the Black Kite Data Research team, a part of the Black Kite Research & Intelligence Team (BRITE), included sections for Financial Entities and third parties. The obligations pertaining to  European Supervisory Authorities (ESA) and Member States were not included as DORA control items as they are not within the obligations of Financial Institutions. It’s important to note that the sections and paragraphs in DORA are too long for any parser to automatically parse. The Black Kite Data Research Team addressed this issue through large language model (LLM)-based privately fine-tuned models. Black Kite’s UniQuE^TM Parser can easily process any document uploaded by users and map it to DORA
2. Black Kite’s Unique Parser 3.0 AI engine maps DORA controls to other frameworks and revolutionizes the compliance process by simplifying the task of aligning security policies with standards. With the industry’s first cyber-aware AI engine, the UniQuE Parser allows vendors to effortlessly upload their security policies or custom questionnaires in various formats, including doc, txt, xlsx, csv and pdf. This cutting-edge technology then swiftly calculates mappings, delivering results in seconds.
3. DORA is integrated to the Black Kite platform as an industry framework on the compliance module.
4. Companies can upload their InfoSec policies as well as other artifacts to see their compliance to DORA. By leveraging the power of Black Kite’s UniQuE 3.0 AI engine, companies can easily navigate the complex compliance landscape and ensure up-to-date security measures without the need for traditional, time-consuming manual efforts. And also companies can download the results from the Black Kite platform.

See how you can leverage automation to gather relevant data and identify compliance gaps. Request a demo to see the Black Kite UniQuE^TM Parser in action.