Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) creates a regulatory framework under which in-scope organisations need to ensure that they can withstand, respond to, and recover from information and communication technology (ICT)-related disruptions and threats. This includes cyber-attack. DORA aims to achieve a high common level of digital operational resilience across the EU by consolidating and upgrading financial entities’ ICT risk requirements as part of the operational requirements that have, until now, been addressed separately in various EU legal acts.
DORA applies to a wide range of regulated financial services entities, including: credit institutions, payment institutions, investment firms, crypto-asset service providers, trading venues, as well as insurance and reinsurance undertakings. It also applies to third-party ICT service providers, bringing them within regulatory scope for the first time.
The regulation of risk arising from the use of digital technology has been an area of increasing focus for the EU. DORA marks a significant development in the area of digital resilience in the regulated financial sector, by introducing a harmonised approach to ICT risk management, incident reporting, resilience testing, and third-party risk management.
DORA implementation timeline
DORA addresses ICT risk by setting targeted rules in the following five key areas:
Financial entities subject to DORA must have in place an internal governance and control framework that ensures the effective and prudent management of ICT risks, to achieve a high level of digital operational resilience. The entity’s management body bears the ultimate responsibility for managing its ICT risk, in particular defining, approving, overseeing and being responsible for the implementation of all arrangements related to the entity's ICT risk management framework.
DORA sets out prescriptive obligations on financial entities and ICT third-party service providers in respect of ICT third-party services. This includes enhanced obligations in respect of ICT third-party services supporting critical or important functions of financial entities.
Organisations are required to manage ICT third-party risk as an integral component of their ICT risk management framework. DORA prescribes obligations regarding the adoption of an ICT third-party risk strategy. This includes an information register for all third-party contract service providers, reporting requirements, audit requirements, and ensuring third-party service providers comply with information and security standards. DORA also specifies requirements for contractual arrangements with third-party service providers, and additional requirements for third-party services supporting “critical or important functions.”
Financial entities are subject to the following four key obligations in respect of DORA incident reporting:
- ICT-related incident management process
- classification of ICT-related incidents and cyber threats
- reporting of major ICT-related incidents
- voluntary notification of significant cyber threats
Financial entities must establish, maintain, and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk management framework. DORA sets out prescriptive requirements in respect of:
- testing of ICT tools and systems
- advanced testing of ICT tools, systems and processes based on threat-led penetration testing (TLPT)
- testers for carrying out TLPT
Financial entities may exchange cyber threat information and intelligence amongst themselves, provided such information and intelligence sharing:
- aims to enhance the digital operational resilience of financial entities
- takes place within trusted communities of financial entities
- protects the potentially sensitive nature of the information and complies with GDPR requirements
For further details on the impact of DORA read our detailed insight here.
DORA will apply from 17 January 2025. The European supervisory authorities (ESAs) will publish two tranches of regulatory technical standards and implementing technical standards addressing key areas of DORA in advance of this date.
Organisations should review their existing operational resilience, outsourcing and ICT risk management frameworks, and relevant existing ICT contracts and templates. Following this, organisations should assess potential gaps and plan the implementation of any changes required in advance of the January 2025 implementation date.
