Starting this year, financial institutions (FIs) and crypto-asset service providers (CASPs) in the EU are now required to ensure compliance with complex frameworks that protect digital infrastructure and financial services. Today, we’re excited to announce the launch of our Cyber and Operational Resilience (COR) Compliance Package, designed specifically to help FIs meet the European Union’s Digital Operational Resilience Act (DORA) obligations which came into force in the EU on January 17, 2025.
The Motivation Behind the COR Compliance Package
DORA mandates that banks, financial institutions, and crypto asset service providers (CASPs) strengthen their cybersecurity and operational resilience. The Fireblocks COR Compliance Package simplifies this complex regulatory landscape, allowing organizations to focus on growth and innovation while maintaining compliance.
The regulators have made it clear what you need to do and how you implement it under DORA, so having a proactive solution from Fireblocks that we can implement knowing that it’s been built by experts saves us time, resources, and gives us confidence in our ability to meet DORA obligations as we continue to work with Fireblocks.
The COR Compliance Package was designed specifically for institutions that designate Fireblocks as a Third-Party ICT Provider supporting a critical or important function and was developed to streamline the path to regulatory alignment. Key features include a dedicated legal addendum, annual and periodic reports, an advanced ICT security kit, and an annual security pooled audit event —helping institutions meet compliance requirements with greater efficiency while strengthening operational resilience.
As we’ve seen recently, piecemeal solutions can have disastrous outcomes when it comes to cybersecurity and operational resilience. The intention of DORA is to manage and mitigate risks linked to their Information and Communication Technology (ICT) infrastructure. It sets out clear guidelines on how these institutions should prepare for and respond to potential technology failures or attacks. Fireblocks has taken its unique approach to multilayered security and resilience a step further: we’ve implemented operational changes, a dedicated reporting framework, and designed a contractual framework to align with DORA requirements.
Fireblocks provides its customers with a holistic offering designed to meet their DORA obligations confidently and efficiently. We’ve built this package to simplify compliance, reduce complexity, and allow our customers to focus on scaling their businesses and innovating in a rapidly changing environment.
A Brief Overview of the DORA Regulations and Obligations
DORA establishes comprehensive regulations for FIs and CASPs to manage ICT infrastructure and potential risks. It sets out clear guidelines on how these institutions should prepare for and respond to potential technology failures or attacks, including:
- Risk management: Institutions need to assess, monitor, and manage digital risks (like cybersecurity threats)
- Incident reporting: Institutions must report significant digital incidents to regulators.
- Testing and recovery: Regular testing of systems and having recovery plans in place is required to ensure continued service during disruptions.
- Third-party providers: Institutions bear the full responsibility for their usage of ICT third-party service providers, and must verify the appropriateness of those parties’ security and operational resilience.
- Information sharing: Institutions must promote collaborative information sharing practices to improve resilience across the industry.
One important aspect of DORA is the designation of ICT vendors that support a critical or supporting vendor. This designation mandates that financial entities must have stringent oversight and due diligence practices in place to ensure that these vendors can meet operational resilience requirements.
The Importance of Critical ICT Vendor Oversight
While all aspects of DORA are important to understand, the third-party risk management pillar of the regulation is critical since it relates to factors external to the regulated entity. You may be asking: what should you expect from your ICT third party providers supporting a critical or important function, and what’s the depth of understanding you should have?
Under DORA, financial entities must evaluate their ICT vendors’ criticality and verify that these vendors meet the necessary standards to mitigate risks effectively. This means ensuring that your vendor partners have robust business continuity plans, resilience measures, and appropriate incident response strategies in place. But it doesn’t stop there—you must also confirm that the vendors’ operations are aligned with your own resilience requirements.
Our COR Compliance Package provides a comprehensive solution that will guide you through the process of managing, and reporting on these critical ICT vendors. It ensures that you’re not only compliant but also prepared for any operational disruptions that may occur in the future.
Take Action Today
The COR Compliance Package is your gateway to understanding and implementing DORA’s regulations effectively. To learn more about the specific steps you need to take in order to meet these regulatory obligations, we encourage you to read our White Paper. It offers a deeper dive into the pillars of DORA Compliance and outlines clear actions to ensure your business is compliant and resilient.
