Digital Operational Resilience Act (DORA) 

When will DORA come into force?

DORA entered into force on January 16, 2023 and applies from January 17, 2025.

Once the standards are finalized and the January 2025 deadline arrives, enforcement will be handled by designated regulators in each EU member state, known as “competent authorities.” These authorities can require financial entities to implement specific security measures and address vulnerabilities. They will also have the power to impose administrative, and in some cases, criminal penalties on entities that do not comply, with each member state determining its own penalties.

ICT providers considered “critical” by the European Commission will be directly overseen by lead overseers from the ESAs. Similar to competent authorities, these overseers can mandate security measures and remediation efforts and penalize noncompliant ICT providers. Under DORA, lead overseers can impose fines on ICT providers amounting to 1% of the provider’s average daily global turnover from the previous business year. Providers can be fined daily for up to six months until they achieve compliance.

Purpose of DORA

DORA has two primary objectives: to thoroughly address ICT risk management in the financial services sector and to harmonize ICT risk management regulations across EU member states.

Prior to DORA, EU regulations for risk management in financial institutions mainly focused on ensuring sufficient capital to cover operational risks. Although some EU regulators issued guidelines on ICT and security risk management, these guidelines were not uniformly applicable to all financial entities and often relied on general principles rather than specific technical standards. Without EU-level ICT risk management rules, individual member states created their own requirements, resulting in a fragmented regulatory landscape that was challenging for financial entities to navigate.

DORA aims to create a unified framework for managing and mitigating ICT risk within the financial sector across the EU. By standardizing risk management rules, DORA seeks to eliminate gaps, overlaps, and conflicts between different national regulations. A common set of rules will simplify compliance for financial entities and enhance the overall resilience of the EU financial system by ensuring that all institutions adhere to the same standards.

To whom it applies?

DORA applies to a wide range of entities within the European Union (EU) financial sector. Specifically, the provisions of DORA are relevant to the following entities:

• Financial institutions:
  • Banks
  • Investment firms
  • Payment institutions
  • Electronic money service providers
• Financial market infrastructures:
  • Central counterparties (CCPs)
  • Central securities depositories (CSDs)
  • Payment systems
• Other financial institutions:
  • Asset managers
  • Insurance companies
  • Pension funds
  • Crowdfunding service providers
  • Data broking firms
  • Investment fund management companies
• ICT (Information and Communication Technology) service providers:
  • Cloud service providers
  • Data management companies
  • Data analytics companies
  • Other providers of digital services critical to the operation of financial institutions.

DORA seeks to ensure that all these entities within the EU financial ecosystem are resilient to operational disruptions and cyber-attacks by establishing common standards for ICT-related risk management and strengthening oversight and cooperation across the European Union.

Requirements of DORA

In order to achieve a high common level of digital operational resilience, DORA establishes uniform requirements for the security of the networks and information systems that support the business processes of financial institutions, as follows:

• ICT risk management and governance
• Incident response and reporting
• Digital operational resilience testing
• Third-party risk management

Information sharing is recommended but not obligatory.

ICT risk management and governance

The Digital Operational Resilience Act (DORA) places responsibility for ICT management on an entity’s management body, including board members and senior managers. They must define risk management strategies, assist in implementation, stay informed about ICT risks, and can be held personally accountable for non-compliance.

Entities must create comprehensive ICT risk management frameworks, including mapping ICT systems, identifying critical assets, documenting dependencies, and conducting continuous risk assessments. They must document and classify cyber threats and mitigation steps. Business impact analyses are required to assess disruptions and inform ICT infrastructure design.

Entities must implement cybersecurity measures, such as identity and access management policies, patch management, detection and response systems, SIEM software, and SOAR tools. They also need business continuity and disaster recovery plans for various cyber risk scenarios, including data backup, system restoration, and communication plans.

Upcoming Regulatory Technical Standards (RTSs) will specify required elements of risk management frameworks, likely aligning with existing EBA guidelines on ICT and security risk management.

Incident response and reporting

Covered entities must implement systems to monitor, manage, log, classify, and report ICT-related incidents. Depending on the incident’s severity, entities may need to report to regulators and inform affected clients and partners. They are required to file three types of reports for critical incidents: an initial notification, an intermediate progress report, and a final report analyzing root causes.

Rules on incident classification, reportable incidents, and reporting timelines are forthcoming. European Supervisory Authorities (ESAs) are considering ways to streamline reporting through a central hub and standardized templates.

Digital operational resilience testing

Entities must regularly test their ICT systems to evaluate protection strength and identify vulnerabilities. Test results and plans to address weaknesses must be reported to and validated by relevant authorities. Basic tests, such as vulnerability assessments and scenario-based testing, are required annually. Financial entities deemed critical to the financial system must also undergo threat-led penetration testing (TLPT) every three years, with their critical ICT providers participating. Technical standards for TLPTs are forthcoming, likely aligning with the TIBER-EU framework for threat intelligence-based ethical red-teaming.

Third-party risk management

One unique aspect of DORA is its application to both financial entities and their ICT providers. Financial firms must actively manage third-party ICT risks, including negotiating contracts with exit strategies, audits, and performance targets for accessibility, integrity, and security. Entities cannot contract with ICT providers unable to meet these requirements, and authorities can suspend or terminate non-compliant contracts. The European Commission is considering standardized contractual clauses to ensure compliance with DORA.

Financial institutions must map third-party ICT dependencies and avoid over-reliance on a single provider or small group of providers. Critical ICT third-party service providers will be subject to direct oversight by relevant European Supervisory Authorities (ESAs). Criteria for determining critical providers are being developed, with assigned lead overseers enforcing DORA requirements and potentially forbidding non-compliant contracts.

Information sharing

Financial entities are required to set up procedures to learn from both internal and external ICT-related incidents. To facilitate this, DORA encourages participation in voluntary threat intelligence sharing initiatives. However, any shared information must adhere to relevant guidelines, such as ensuring personally identifiable information complies with General Data Protection Regulation (GDPR) requirements.