The Digital Operational Resilience Act (DORA) is a European Union initiative aimed at strengthening the digital resilience of financial entities. The regulation establishes a single set of regulatory and supervisory rules for the operational resilience of information and communication technologies in the financial sector.
DORA came into force on January 16, 2023 and applies from January 17, 2025. It ensures that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT (Information and Communication Technology) disruptions, such as cyberattacks or system failures.
DORA explicitly targets ICT risks, introducing clear rules for ICT risk management, incident reporting, operational resilience testing, and oversight of ICT third-party risks. The regulation recognizes that ICT incidents and a lack of operational resilience can threaten the stability of the entire financial system, even when "adequate" capital is allocated to traditional risk categories.
Key Pillars of DORA
DORA is built upon five key pillars:
ICT Risk Management: Financial entities are required to implement a robust ICT risk management framework. This includes establishing and maintaining ICT risk management frameworks to identify and mitigate risks. ICT Incident Reporting: Financial institutions must report significant ICT-related incidents to authorities. Digital Operational Resilience Testing: Regular testing of digital operational resilience, including penetration testing, is required. ICT Third-Party Risk Management: Organizations must manage and monitor risks from third-party service providers. Information Sharing: Financial entities are encouraged to participate in information-sharing arrangements to stay informed about emerging threats and best practices. Who is Affected by DORA?
DORA applies to a wide range of financial entities regulated by the Central Bank of Ireland. Organizations operating in the financial sectors impacted by DORA include, among others:
Credit institutions Payment institutions Electronic money institutions Investment firms Crypto-asset service providers Alternative investment funds Insurance managers Key Requirements of DORA
The primary requirements that financial institutions and service providers must adhere to as they work toward full DORA compliance include:
Risk Management: Establishment of an ICT risk management framework, including comprehensive internal governance, self-assessments, and controls to identify and minimize risk. Business Continuity Planning: Financial services must have a thorough and well-tested continuity plan in place to maintain operations through security incidents. Incident Response and Crisis Management: A key component of digital resilience, DORA mandates the presence of a well-developed incident response plan to categorize, manage, and report on ICT incidents. Continuous Testing and Monitoring: DORA requires organizations to conduct regular testing and monitoring of systems for anomalous activities to ensure they are resilient against cyber threats. Third-Party Risk Management: DORA requires that organizations implement security measures that cover the supply chain. Compliance with DORA is not merely a legal requirement but a strategic imperative for financial institutions seeking to safeguard their digital operations and maintain customer trust in an increasingly interconnected and threat-filled digital landscape.