DORA – Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) is a European Union regulation aimed at strengthening the security and resilience of information and communication technology in the financial sector. DORA came into force on January 16, 2023, and will be applied from January 17, 2025.

What are the main compliance requirements of DORA?

DORA includes a variety of compliance requirements that financial companies and third-party ICT providers must meet. These include:

• Risk management for ICT: Financial organizations must develop and implement appropriate risk management strategies for their ICT systems to increase resilience to digital risks.
• Resilience testing: Regular testing of the digital resilience of critical ICT systems is required to identify and address potential vulnerabilities.
• ICT incident reporting: Companies are required to report serious ICT-related incidents to the relevant authorities and take appropriate action to address them.
• Monitoring of critical third-party providers: Financial organizations must identify and monitor critical third-party ICT providers to ensure that these providers implement robust security measures.
• Contract management: Companies must ensure that their contracts with third-party ICT providers meet the requirements of DORA and include appropriate risk mitigation mechanisms.
• Cooperation with authorities: Companies must work closely with the relevant authorities and share information on ICT risks and incidents.
• Compliance reporting: Financial organizations must prepare and submit regular compliance reports to regulators to demonstrate their compliance with DORA requirements.
• Employee training: Companies must ensure that their employees are aware of the requirements of DORA and are appropriately trained to meet them.

Timetable

The following timetable applies to DORA from its entry into force to its application and the start of monitoring:

1. Entry into force of DORA: The regulation entered into force on January 16, 2023.
2. Public consultations: Public consultations on the criteria for the critical functions and fees took place between May and June 2023.
3. Initial guidelines: The first guidelines were discussed in a consultation from June to September 2023.
4. Further public consultations: Further public consultations for the second phase of the guidelines were held from December 2023 to March 2024.
5. Delivery of guidelines: The first guidelines were delivered on January 17, 2024, followed by the second phase on July 17, 2024.
6. Application of DORA: From January 17, 2025, DORA will be fully applied.
7. Start of monitoring activities: From 2025, the European Supervisory Authorities (ESAs) will start monitoring activities, including the designation of critical third party providers.

Why was DORA introduced?

DORA was introduced to respond to the growing threat of cyberattacks and the financial sector’s increasing reliance on information and communication technology.

Risks from cyberattacks

The financial industry is a prime target for cybercriminals due to the enormous amount of sensitive financial data they manage. Cyberattacks can cause significant financial losses and shake consumer confidence in the financial system.

Increasing dependence on IT services

Financial companies are highly dependent on IT infrastructures and services to run their business processes. This includes not only internal IT systems, but also third-party services such as cloud service providers and payment processing companies.

Fragmentation of regulation

Prior to the introduction of DORA, regulation of digital resilience within the European Union was fragmented. There was a lack of uniform standards and procedures for managing ICT risks in the financial sector.

Need for harmonization

DORA aims to harmonize these approaches and create a single framework for digital resilience across the EU financial sector. This will not only facilitate compliance, but also strengthen cooperation and information sharing between member states.

Ensuring financial stability

A resilient financial system is crucial for the economic stability of the EU. DORA aims to ensure that the financial sector remains resilient and that potential disruptions can be dealt with quickly and effectively.

Protecting consumers

By strengthening digital resilience, the aim is to protect the interests of consumers by minimizing the risk of ICT-related disruptions and data leaks.

Overall, DORA was introduced to make the financial sector more resilient to growing digital risks and to ensure financial stability in the European Union. By implementing uniform standards and procedures, companies will be better protected against cyberattacks and consumer confidence will be strengthened.

Who is affected by DORA?

DORA affects a wide range of financial companies and organizations within the European Union. These include:

• Banks
• Insurance companies
• Investment firms
• Payment service providers
• Crypto-asset firms
• Financial market infrastructures
• Electronic money institutions
• Capital management companies

In addition, DORA regulations are relevant for third-party ICT providers, especially those that are classified as critical to the financial infrastructure. These third-party providers could be cloud services, data analysis companies, or providers of cybersecurity services.

The inclusion of third-party providers is particularly important, as the financial services industry is increasingly dependent on these external ICT services, which poses an additional risk to operational resilience.

Share this post