Digital Operational Resilience Act (DORA)
Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA), is a comprehensive framework aimed at ensuring the financial sector in the EU can withstand and recover from ICT-related disruptions. Key sections include requirements for ICT RisikoRisiko Bezeichnet das Potenzial für Verluste oder Störungen, die durch ein Ereignis verursacht werden, und wird als Kombination aus dem Ausmaß eines solchen Verlusts oder einer solchen Störung und der Wahrscheinlichkeit des Eintretens des Ereignisses ausgedrückt. Definition gemäß Artikel 6 der Richtlinie (EU) 2022/2555 (NIS2-Richtlinie) management, VorfallVorfall Bezeichnet ein Ereignis, das die Verfügbarkeit, Authentizität, Integrität oder Vertraulichkeit gespeicherter, übermittelter oder verarbeiteter Daten oder der von Netz- und Informationssystemen angebotenen oder über sie zugänglichen Dienste beeinträchtigt. Definition gemäß Artikel 6 der Richtlinie (EU) 2022/2555 (NIS2-Richtlinie) reporting, operational resilience testing, and third-party risk management. DORA also establishes a regulatory oversight framework for critical third-party IKT-DienstleistungIKT-Dienstleistung bezeichnet eine Dienstleistung, die ganz oder überwiegend in der Übertragung, Speicherung, Abfrage oder Verarbeitung von Informationen mittels Netz- und Informationssystemen besteht - Definition gemäß Artikel 2 Nummer 13 der Verordnung (EU) 2019/881 providers. It consolidates and updates ICT risk rules across various regulations, promoting consistency, legal certainty, and reduced compliance costs for financial entities operating across borders.
Aufbau und wichtige Abschnitte
- General Provisions. This section outlines the scope and objectives of DORA, which applies to a broad range of financial entities, including banks, investment firms, and payment institutions. It defines key terms and establishes the legal foundation for the regulation, emphasizing the need for a uniform approach to digital resilience across the EU.
- ICT Risk Management. This section mandates that financial entities implement comprehensive ICT risk management frameworks. These frameworks must cover all aspects of ICT risk, including identification, protection, detection, response, and recovery. Entities are required to regularly review and update their risk management strategies to address evolving threats.
- ICT-Related Incident Reporting. DORA requires financial institutions to establish clear procedures for reporting significant ICT-related incidents. This includes incidents that have a substantial impact on the UnternehmenEntität bezeichnet eine natürliche oder juristische Person, die nach dem innerstaatlichen Recht des Ortes ihrer Niederlassung gegründet und als solche anerkannt wurde und die in eigenem Namen handelnd Rechte und Pflichten ausüben kann. Definition gemäß Artikel 6 der Richtlinie (EU) 2022/2555 (NIS2-Richtlinie)’s operations, financial stability, or the protection of clients’ funds and data. Timely reporting to competent authorities is crucial for coordinated responses at the EU level.
- Digital Operational Resilience Testing
Financial entities must conduct regular digital operational resilience testing, including threat-led penetration testing (TLPT). The goal is to assess the effectiveness of their ICT risk management and preparedness for potential cyber threats. Entities identified as critical must undergo more stringent testing under the supervision of competent authorities. - Information Sharing. DORA encourages the sharing of information on cyber threats and vulnerabilities among financial entities. This cooperation aims to enhance collective resilience by enabling entities to learn from each other’s experiences and better prepare for potential threats.
- Management of Third-Party Risks. This section regulates the use of third-party ICT service providers, recognizing the risks associated with outsourcing critical functions. Financial entities are required to monitor and manage risks arising from third-party providers, ensuring that these providers meet strict resilience standards. Critical ICT providers may also be subject to direct oversight by EU regulators.
- Supervisory Measures and Penalties. DORA grants supervisory authorities the power to enforce compliance and impose penalties for breaches of the regulation. This section outlines the supervisory framework, detailing the powers of national and European authorities to ensure that financial entities adhere to the requirements. Penalties can be significant, reflecting the seriousness of non-compliance.
The regulation aims to create a harmonized approach to digital operational resilience, ensuring that financial systems in the EU are robust, secure, and capable of withstanding ICT-related disruptions.