The Digital Operational Resilience Act (DORA) is a European Union regulation designed to strengthen the digital operational resilience of the financial sector. It aims to ensure the financial sector in Europe can withstand and recover from ICT-related disruptions and threats. DORA was enacted in January 2023 and will be applicable starting January 17, 2025.
Key aspects of DORA:
Scope: DORA applies to a wide range of financial entities operating within the EU, including banks, credit institutions, insurance companies, investment firms, crypto-asset service providers, and third-party suppliers of ICT services. However, some microenterprises and SMEs are exempt.
Objectives: DORA seeks to comprehensively address ICT risk management in the financial services sector and harmonize ICT risk management regulations across EU member states. It aims to reduce susceptibility to cyber threats across the financial sector’s value chain and create a uniform regulatory framework across the EU.
Pillars: DORA’s essence is divided across five core pillars that address various aspects within ICT and cybersecurity, providing a comprehensive digital resiliency framework for relevant entities:
- ICT risk management
- ICT-related incident management, classification, and reporting
- Digital operational resilience testing
- Management of ICT third-party risk, including an oversight framework for critical ICT third-party service providers
- Information sharing arrangements
Requirements: DORA requires financial entities to establish resilient ICT systems and tools, conduct continuous risk assessments, implement cybersecurity protection measures, and develop incident management and reporting procedures. It also emphasizes the management of relationships with ICT service providers through structured oversight and documentation.
Enforcement: DORA assigns responsibility for ICT management to an entity’s management body, with potential accountability for failures to comply. National competent authorities will oversee compliance and enforce the regulation.
DORA consolidates and upgrades ICT risk requirements, addressing gaps and inconsistencies in previous regulations. It promotes a consistent supervisory approach across sectors through specific criteria, templates, and instructions for managing ICT and cyber risks.
Enquire us on Certified Operational Resilience Professional Training
