Digital Operational Resilience Act (DORA)

Why it is relevant to you

The Digital Operational Resilience Act (DORA) is a new European framework for effective and all-inclusive management of digital risks in Financial Markets.

The framework shifts the focus from only guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations through an incident of severe operational disruption deriving from cyber security and ICT issues.

By introducing a single consistent supervisory approach across the relevant sectors, DORA ensures convergence and harmonisation of security and resilience practices across the EU.

The most important in 30 seconds

Why is DORA relevant?

DORA will apply to more than 22,000 financial entities and ICT service providers operating within the EU. The regulation will introduce specific and prescriptive requirements for all financial market participants including e.g. banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers.
DORA ensures a consistent provision of services across the entire value chain by introducing an end-to-end holistic framework for effective Risk management, ICT and cyber security operational capabilities, and Third Party management.
DORA’s five key pillars: ICT Risk Management, ICT-related Incident Management; Digital Operational Resilience Testing, ICT Third Party Risk Management, and Information Sharing Arrangements.
The regulation is unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).

When will DORA be enforced?

DORA entered into force on 16 January 2023. With an implementation period of two years, financial entities will be expected to be compliant with the regulation by 17th January 2025.

Draft

On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP).

Reaching an Agreement

Following the publications of the European Parliament and Council's proposals for DORA, the co-legislators held political and technical trilogues throughout H1 2022. The European Council adopted DORA on November 28th, 2022, after the European Parliament voted in favour of the act on November 10th.

Entering into Force

DORA entered into force on 16 January 2023. We expect the first regulatory and implementing technical standards (RTS and ITS) to be developed by the European Supervisory Authorities (ESAs).

RTS & ITS

Multiple regulatory and implementing technical standards are defined and issued by the ESAs. They provide entities with specifications and guidance on how to implement specific DORA requirements.

Enforcement

DORA requirements are enforceable 24 months after entry into force (16th January 2023). Therefore, financial entities will be expected to be compliant with DORA by 17th January 2025.

DORA – Are you ready?

We view DORA simultaneously as a challenge and opportunity for financial entities. The EU-wide uniform requirements of DORA mean that financial entities need to ensure they can manage a consistent maturity level of cyber security and operational resilience across all their EU operations.

With a two-year “getting ready” period, there is a lot that needs to be considered, implemented, and demonstrated. Starting right now, financial institutions will want to conduct comprehensive gap assessments to evaluate their respective maturity vis-à-vis DORA and timely identify any areas that require further investment and prioritisation. This will put your business in a better position to address more complex requirements such as supply risk management, threat intelligence, and advanced security testing, giving you a competitive advantage on the market.

DORA will set the regulatory focus on 5 key pillars

ICT Risk Management
ICT-related Incident Management
Digital Operational Resilience Testing
ICT Third-Party Risk Management
Information Sharing

ICT Risk Management

Financial entities are required to set up a comprehensive ICT risk management framework, including:

set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk,
identify, classify and document critical functions and assets,
continuously monitor all sources of ICT risks in order to set-up protection and prevention measures,
establish prompt detection of anomalous activities,
put in place dedicated and comprehensive business continuity policies and disaster and recovery plans, incl. yearly testing of the plans, covering all supporting functions,
establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents.

ICT-related Incident Management

Financial entities are required to:

develop a streamlined process to log/classify all ICT incidents and determine major incidents according to the criteria detailed in the regulation and further specified by the European Supervisory Authorities (EBA, EIOPA and ESMA),
submit an initial, intermediate and final report on ICT-related incidents,
harmonise the reporting of ICT-related incidents through standard templates as developed by the ESAs.

Digital Operational Resilience Testing

The regulation requires all entities to:

annually perform basic ICT testing of ICT tools and systems,
identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps with the implementation of counteractive measures,
periodically perform advanced Threat-Led Penetration Testing (TLPT) for ICT services which impact critical functions. ICT third-party service providers are required to participate and fully cooperate in the testing activities.

ICT Third-Party Risk Management

Financial entities are required to:

ensure sound monitoring of risks emanating from the reliance on ICT third-party providers,
report their complete register of outsourced activities, incl. intra-group services and any changes to the outsourcing of critical services to ICT third party service providers,
take account of IT concentrating risk and risks arising from sub-outsourcing activities
harmonise key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring,
ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details such as a full-service level description, indication of locations where data is being processed, etc.,
critical ICT third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified ICT risks. Financial entities must consider the ICT third-party risks of their service provider who do not follow the defined recommendation.

Information Sharing

The regulation encourages financial entities to set-up arrangements amongst themselves to exchange cyber threat information and intelligence,
The supervisory authority will provide relevant anonymized information and intelligence on cyber threats to financial entities. Therefore, entities should implement mechanisms to review and take action on the information shared by the authorities.