What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) is a regulation adopted by the European Union (EU) to enhance the resilience of financial institutions and their information and communications technology (ICT) systems against cyber threats and operational disruptions. It was officially published in the EU’s Official Journal in January 2023 and will become fully applicable on January 17, 2025.

Why was DORA introduced?

DORA was designed in response to increasing cyber risks and operational dependencies within the financial sector. Financial institutions rely heavily on ICT systems, and cyberattacks or disruptions can have catastrophic effects on the economy. The EU introduced DORA to ensure that financial institutions:

1. Are resilient to ICT risks.
2. Have mechanisms to recover from incidents.
3. Maintain consistent standards across the EU.

Who does DORA apply to?

DORA applies broadly across the financial sector, covering around 22 types of entities, including:

• Banks
• Insurance companies
• Investment firms
• Payment service providers
• Credit rating agencies
• Crypto-asset service providers
• Third-party ICT providers (e.g., cloud services, software vendors)

What are the key components of DORA?

DORA focuses on five main pillars to ensure the operational resilience of financial entities:

1. ICT Risk Management
   • Financial entities must implement a robust ICT risk management framework to identify, mitigate, and monitor risks.
   • Regular assessments and governance processes are mandatory.
2. Incident Reporting
   • Entities must report serious ICT-related incidents to relevant national regulators.
   • Standardized templates and thresholds for reporting will be implemented.
3. Digital Operational Resilience Testing
   • Financial institutions must conduct regular testing (e.g., penetration testing) of their ICT systems.
   • Critical systems require advanced testing by accredited third-party providers.
4. Third-Party Risk Management
   • Entities must manage risks associated with third-party ICT providers (e.g., cloud or SaaS providers).
   • Contracts with third parties will need to comply with DORA’s standards, and oversight will be strengthened.
5. Information Sharing
   • Financial institutions are encouraged to share information and intelligence on cyber threats and vulnerabilities to improve collective resilience.

DORA will impact several areas:

1. Unified Regulation: DORA creates a harmonized framework for ICT risk management across all EU member states.
2. Third-Party Accountability: DORA holds external ICT providers accountable, ensuring they meet regulatory standards.
3. Improved Resilience: Financial institutions will be better prepared to withstand and recover from cyber incidents and operational disruptions.

The timeline for DORA is:

• January 16, 2023: DORA entered into force.
• January 17, 2025: DORA becomes fully applicable, and all financial entities must comply.

Why does DORA matter for businesses?

Financial institutions and ICT providers must:

• Align with DORA’s strict risk management and testing requirements.
• Update contracts and oversight mechanisms for third-party providers.
• Develop capabilities for standardized incident reporting and recovery plans.

In short, DORA is the EU’s effort to ensure the digital resilience of its financial sector. It’s a big deal not just for banks, but for any technology provider supporting financial institutions.