The Digital Operational Resilience Act (DORA) is a sweeping new European Union (EU) framework that addresses digital operational resilience in the financial sector. This regulatory initiative unifies what was previously a patchwork of rules issued by individual EU member states. Here’s a look at what DORA means for financial institutions and other financial entities in terms of managing information and communication technology (ICT) risks.
Core DORA Objectives
At its core, DORA is an ICT risk management framework that establishes rules for the financial sector to ensure robust digital resilience and standardize practices across the EU to effectively handle and mitigate cyber threats and technology-related disruptions. A key aspect of DORA is the focus on not only preparing for potential ICT-related incidents, but also ensuring business continuity and reliability in digital operations. DORA will facilitate a more coordinated and efficient approach to digital resilience in Europe’s financial sector and ensure a high level of security and stability in the EU’s financial markets.
First proposed by the European Commission in 2020, the Council of the EU and the European Parliament formally adopted DORA in 2022. Mandatory compliance starts on the effective date of enforcement, January 17, 2025. Those who need to comply with this binding regulation have until then to understand the rules and not fall off of them.
Who Must Comply with DORA?
DORA casts a wide net in terms of who must comply with the framework. The rules apply to a broad spectrum of financial entities including credit institutions, investment firms, insurance and reinsurance companies, payment and electronic money institutions, and crypto-asset service providers. It also extends beyond just financial entities themselves to third-party ICT service providers, such as the many cloud service providers and data analytics firms that are crucial to the financial sector’s digital operations. These service providers are subject to stringent oversight and must also abide by the operational and risk management standards laid out in DORA.
The competent authorities at individual member states ultimately enforce the rules. Each competent authority can request that financial entities take remediation actions like fixing cybersecurity vulnerabilities. Competent authorities can also impose administrative penalties, with each member state having the power to decide its appropriate penalties for breaches.
DORA: 4 Key Parts of Risk Management
DORA requirements for financial institutions fall into four key areas of risk management. Here’s a deep dive into these four areas and what financial services organizations and other relevant entities need to do to comply.
ICT Risk Management and Governance
Managing critical ICT risks starts with making an organization’s management take ultimate responsibility. This part of the regulation starts with a governance slant by obliging board members, executive leaders, and other senior managers to define their ICT risk management strategy and help with its execution.
Important requirements here include mapping ICT systems, documenting dependencies in ICT environments, conducting risk assessments, and documenting steps to mitigate cyber risks. These form the elements of a mandatory risk management oversight framework that each entity must establish. The rules here are broadly in line with previously published guidance from the European Banking Authority (EBA) in 2019 on risk management and the European Insurance and Occupational Pensions Authority (EIOPA) on governance in 2020.
ICT Incident Response
Effective incident response is imperative in the financial sector, where cyberattacks can spread from hitting one organization to affecting the stability of the entire sector. Included in DORA are rules about the important functions of incident reporting and classification. This includes classifying what constitutes significant cyber threats and analyzing root causes.
Timelines for reporting incidents haven’t yet been published, but this equally important part of incident management is not being ignored by EU regulators. European Supervisory Authorities (ESAs) will specify the deadlines in technical standards.
ICT Digital Operational Resilience Testing
The need for digital operational resilience testing is to ensure financial entities can withstand and recover from ICT-related disruptions and threats. This testing includes checking for vulnerabilities, the effectiveness of cybersecurity measures, and the ability to maintain critical functions during and after a cyber incident.
This need for resilience testing includes a rule for firms of a systemic level of importance to the financial system or sufficient maturity to conduct advanced threat-led penetration testing (TLPT) every three years. A Regulatory Technical Standard (RTS) specifies which firms meet the criteria of systemically important or mature enough to have to abide by this rule.
ICT Third-Party Risk
Since DORA mandates compliance for the ICT providers that service the financial sector, the scope of the regulation already does a lot to address the growing risk of third-party threats like software supply chain attacks.
Financial entities must map out their third-party dependencies and ensure they don’t rely on a single provider or small group of providers for critical digital functions. This intent here is clearly to avoid scenarios where business continuity is hampered by one or two failures or attacks against critical ICT third-party service providers.
Another aspect of the framework’s focus on third-party risk is that financial entities can’t outsource critical functions when the third party doesn’t meet accessibility, integrity, and security requirements. Financial entities have to negotiate contractual arrangements about these requirements, and contracts found to be non-compliant can be suspended or terminated by competent authorities upon review.
The regulation covers not just outsourcing to cloud service providers (CSPs) – the existing ESMA and EIOPA guidelines are limited to CSPs – but to non-CSP outsourcing of ICT functions.
DORA and Information Sharing
Another important part of DORA is the section on encouraging entities to participate in voluntary threat intelligence-sharing arrangements. The rationale for this focus is that it fosters a collective awareness and understanding of the existing and emerging information security risks and helps to improve incident response. Shared info must still be protected under any relevant regulations (e.g., GDPR).
Digital transformation has changed the financial sector in many beneficial ways, but the increased reliance on digital technologies calls for more stringent regulations that address operational resilience in light of digital risks. DORA fits that bill for European countries.
Frequently Asked Questions
Explore More on Compliance
Interested in diving deeper into the world of Compliance? Check out these hand-picked resources to expand your knowledge:
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.