DORA (Digital Operational Resilience Act) is the first legislation at the European level that aims to provide harmonised and comprehensive guidance on digital operational resilience for European financial institutions. As the post-2008 financial services regulatory reform focused mainly on strengthening the economic resilience of the sector, the European Commission has set the main objective of DORA as to detect and prevent cyber threats in advance and minimise their impact on the critical functions of the institution and the financial sector. Thus, actors in the financial sector can create a more resilient and reliable digital infrastructure by taking the necessary measures to strengthen ICT (information and communication technology) operations and increase security.
The Regulation entered into force on 16 January 2023 and will be effective as of 17 January 2025.
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) addresses a significant problem in EU financial legislation. Before DORA, financial institutions managed the main categories of operational risk mainly through capital allocation, but not all components of operational resilience.
After DORA, they must also comply with rules for their ability to protect against, detect, limit, recover from, and repair ICT-related events. DORA explicitly refers to ICT risk and sets out rules on ICT risk management, incident reporting, operational resilience testing, and third-party risk monitoring. This Regulation recognises that even with ‘adequate’ capital for traditional risk categories, ICT incidents and lack of operational resilience are likely to jeopardise the soundness of the entire financial system.
As DORA is a new and complex piece of legislation, its overall content structure is as follows;
- ICT (information and communication technology) Risk Management and Internal Governance Arrangements
- ICT-Related Events: Management, Classification and Reporting
- Digital Operational Resilience Test
- ICT Third-Party Risk Management and Contractual Arrangements
- Critical ICT Third-Party Service Providers and Oversight Framework
- Information sharing arrangements, supervision and enforcement
- Inspection and Implementation
- Link to other regulatory requirements
- Practical considerations
DORA (Digital Operational Resilience Act) is not a government agency. It is an initiative that aims to set standards for operational resilience-related measures that banks, exchanges and other financial market infrastructures must comply with.
What are the main requirements of DORA for financial organisations?
In principle, most of the requirements formulated in the DORA regulation, such as ICT risk management, are already known from financial sector regulations such as the EBA Guidelines, MaRisk or BAIT. In some cases, however, they go beyond this, such as the monitoring and supervision of ICT service providers or the supervision of ICT systems.
The following points should be noted:
- Reporting of ICT-related incidents,
- Digital operational resilience test,
- Management of ICT third-party risk,
- Information sharing arrangements.
Who is the DORA Regulation Suitable for?
The Digital Operational Resilience Act requires financial companies to take measures to protect against risks related to ICT (information and communication technology). To achieve this, DORA requirements also cover third parties, such as cloud providers. The financial sectors affected by DORA are:
- Credit institutions
- Payment organisations
- Electronic money institutions
- Investment firms
- Crypto asset service providers
- Alternative investment funds
- Insurance managers
- Critical ICT third-party providers serving covered organisations
You can contact us at sales@cfecert.co.uk to ensure that you are prepared for your adaptation to DORA and to get more information on this subject.
