Digital Operational Resilience Act (DORA)
Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA), is a comprehensive framework aimed at ensuring the financial sector in the EU can withstand and recover from ICT-related disruptions. Key sections include requirements for ICT riskRisk Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) management, incidentIncident Means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) reporting, operational resilience testing, and third-party risk management. DORA also establishes a regulatory oversight framework for critical third-party ICT serviceICT service Means a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems. - Definition according Article 2, point (13), Regulation (EU) 2019/881 providers. It consolidates and updates ICT risk rules across various regulations, promoting consistency, legal certainty, and reduced compliance costs for financial entities operating across borders.
Structure and Key Sections
- General Provisions. This section outlines the scope and objectives of DORA, which applies to a broad range of financial entities, including banks, investment firms, and payment institutions. It defines key terms and establishes the legal foundation for the regulation, emphasizing the need for a uniform approach to digital resilience across the EU.
- ICT Risk Management. This section mandates that financial entities implement comprehensive ICT risk management frameworks. These frameworks must cover all aspects of ICT risk, including identification, protection, detection, response, and recovery. Entities are required to regularly review and update their risk management strategies to address evolving threats.
- ICT-Related Incident Reporting. DORA requires financial institutions to establish clear procedures for reporting significant ICT-related incidents. This includes incidents that have a substantial impact on the entityEntity Means a natural or legal person created and recognised as such under the national law of its place of establishment, which may, acting under its own name, exercise rights and be subject to obligations. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive)’s operations, financial stability, or the protection of clients’ funds and data. Timely reporting to competent authorities is crucial for coordinated responses at the EU level.
- Digital Operational Resilience Testing
Financial entities must conduct regular digital operational resilience testing, including threat-led penetration testing (TLPT). The goal is to assess the effectiveness of their ICT risk management and preparedness for potential cyber threats. Entities identified as critical must undergo more stringent testing under the supervision of competent authorities. - Information Sharing. DORA encourages the sharing of information on cyber threats and vulnerabilities among financial entities. This cooperation aims to enhance collective resilience by enabling entities to learn from each other’s experiences and better prepare for potential threats.
- Management of Third-Party Risks. This section regulates the use of third-party ICT service providers, recognizing the risks associated with outsourcing critical functions. Financial entities are required to monitor and manage risks arising from third-party providers, ensuring that these providers meet strict resilience standards. Critical ICT providers may also be subject to direct oversight by EU regulators.
- Supervisory Measures and Penalties. DORA grants supervisory authorities the power to enforce compliance and impose penalties for breaches of the regulation. This section outlines the supervisory framework, detailing the powers of national and European authorities to ensure that financial entities adhere to the requirements. Penalties can be significant, reflecting the seriousness of non-compliance.
The regulation aims to create a harmonized approach to digital operational resilience, ensuring that financial systems in the EU are robust, secure, and capable of withstanding ICT-related disruptions.