The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union (EU) to strengthen the digital resilience of financial entities. DORA establishes a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector and it went into effect on January 17, 2025.
Why is DORA needed?
The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents. When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors, even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector and this is where the Digital Operational Resilience Act, or DORA, comes into play.
What does DORA cover?
DORA brings harmonisation to rules relating to operational resilience for the financial sector, applicable to 20 different types of financial entities and ICT third-party service providers and specifically:
ICT risk management: Principles and requirements on ICT risk management framework.
ICT third-party risk management: Monitoring third-party risk providers. Key contractual provisions.
Digital operational resilience testing: Basic and advanced testing.
ICT-related incidents: General requirements. Reporting of major ICT-related incidents to competent authorities.
Information sharing: Exchange of information and intelligence on cyber threats.
Oversight of critical third-party providers: Oversight framework for critical ICT third-party providers.
Who is affected by DORA?
The DORA Regulation applies to the EU's financial sector and suppliers of ICT services to that sector – wherever those suppliers are based and specifically:
Credit institutions.
Payment institutions.
Account information service providers.
Electronic money institutions.
Investment firms.
Crypto-asset service providers and issuers of asset-referenced tokens.
Central securities depositories.
Central counterparties.
Trading venues.
Trade repositories.
Managers of alternative investment funds.
Management companies.
Data reporting service providers.
Insurance and reinsurance undertakings.
Key pillars of DORA
To achieve its objectives, DORA is built around five fundamental pillars that collectively aim to bolster the digital resilience of financial institutions and specifically:
ICT Risk Management: Financial institutions must implement comprehensive risk management frameworks to identify, monitor, and mitigate risks related to information and communication technology (ICT). This involves assessing risks from both internal systems and third-party providers.
Operational Resilience Testing: Institutions are required to test their digital operational resilience through various assessments and simulations. These tests help identify weaknesses and ensure that systems can withstand disruptions.
Incident Reporting: Timely detection and reporting of ICT-related incidents are crucial under DORA. Financial entities must have protocols in place to report incidents to regulators promptly, minimizing the impact on operations and customers.
Information Sharing: DORA encourages financial institutions to share threat intelligence and information about cyber risks with relevant stakeholders. This collective approach enhances overall resilience within the financial ecosystem.
DORA requires financial entities to have a documented ICT risk management framework that “enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience” and this must be backed up by regular testing.
In addition, financial entities must have “an ICT-related incident management process to detect, manage and notify ICT-related incidents” as well as manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework.
Overall, DORA aims to harmonise risk management rules across the EU, seeking to remove the gaps, overlaps and conflicts that could arise between disparate regulations in different EU states while ensuring that every institution abides by the same standard.