The Digital Operational Resilience Act, or DORA, is a European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. DORA establishes technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by January 17, 2025.
Purpose of DORA
DORA has two main objectives: to comprehensively address ICT risk management in the financial services sector and to harmonize the ICT risk management regulations that already exist in individual EU member states.
Before DORA, risk management regulations for financial institutions in the EU primarily focused on ensuring that firms had enough capital to cover operational risks. While some EU regulators released guidelines on ICT and security risk management (link resides outside ibm.com), these guidelines didn’t apply to all financial entities equally, and they often relied on general principles rather than specific technical standards. In the absence of EU-level ICT risk management rules, EU member states issued their own requirements. This patchwork of regulations has proven difficult for financial entities to navigate.
With DORA, the EU aims to establish a universal framework for managing and mitigating ICT risk in the financial sector. By harmonizing risk management rules across the EU, DORA seeks to remove the gaps, overlaps, and conflicts that could arise between disparate regulations in different EU states. A shared set of rules can make it easier for financial entities to comply while improving the entire EU financial system’s resilience by ensuring that every institution is held to the same standard.
DORA applies to all financial institutions in the EU. That includes traditional financial entities, like banks, investment firms, and credit institutions, and non-traditional entities, like crypto-asset service providers and crowdfunding platforms.
Notably, DORA also applies to some entities typically excluded from financial regulations. For example, third-party service providers that supply financial firms with ICT systems and services—like cloud service providers and data centers—must follow DORA requirements. DORA also covers firms that provide critical third-party information services, like crediting rating services and data analytics providers.
Current status of DORA
DORA was first proposed by the European Commission—the executive branch of the EU responsible for introducing legislation—in September 2020. It’s part of a larger digital financial package that also includes initiatives for regulating crypto-assets and enhancing the EU’s overall digital finance strategy. The Council of the European Union and the European Parliament (the legislative bodies responsible for approving EU laws) formally adopted the DORA in November 2022. Financial entities and third-party ICT service providers have until January 17, 2025 to comply with DORA before enforcement starts.
While the EU has officially adopted DORA, key details are still being ironed out by the European Supervisory Authorities (ESAs). The ESAs are the regulators that oversee the EU financial system, including The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA).
The ESAs are in charge of drafting the regulatory technical standards (RTS) and implementing technical standards (ITS) that covered entities must implement. These standards are expected to be finalised in 2024. The European Commission is developing an oversight framework for critical ICT providers, which is also expected to be finalised in 2024.
Once the standards are finalised and the January 2025 deadline has arrived, enforcement will fall to designated regulators in each EU member state, known as “competent authorities.” The competent authorities can request that financial entities take specific security measures and remediate vulnerabilities. They’ll also be able to impose administrative — and, in some cases, criminal — penalties on entities that fail to comply. Each member state will decide on its own penalties.
ICT providers deemed “critical” by European Commission will be directly supervised by “Lead Overseers” from the ESAs. Like competent authorities, Lead Overseers can request security measures and remediation and penalise noncompliant ICT providers. DORA allows Lead Overseers to levy fines on ICT providers amounting to 1 percent of the provider’s average daily worldwide turnover in the previous business year. Providers can be fined every day for up to six months until they achieve compliance.
DORA establishes technical requirements for financial entities and ICT providers across four domains: ICT risk management and governance, incident response and reporting, resilience testing, and third-party risk management.
Information sharing is encouraged but not required.
Requirements will be enforced proportionately, meaning smaller entities will not be held to the same standards as major financial institutions. While the RTSs and ITSs for each domain are still under development, the existing DORA legislation offers some insight into the general requirements.
ICT risk management and governance
The DORA makes an entity’s management body responsible for ICT management. Board members, executive leaders, and other senior managers are expected to define appropriate risk management strategies, actively assist in executing them, and stay current on their knowledge of the ICT risk landscape. Leaders can also be held personally accountable for an entity’s failure to comply.
Covered entities are expected to develop comprehensive ICT risk management frameworks. Entities must map their ICT systems; identify and classify critical assets and functions; and document dependencies between assets, systems, processes, and providers. Entities must conduct continuous risk assessments on their ICT systems, document and classify cyberthreats, and document their steps to mitigate identified risks.
As part of the risk assessment process, entities must conduct business impact analyses to assess how specific scenarios and severe disruptions might affect the business. Entities should use the results of these analyses to set levels of risk tolerance and inform the design of their ICT infrastructure. Entities will also be expected to put appropriate cybersecurity protection measures in place, including policies (e.g., identity and access management (IAM), patch management) and technical controls or solutions (e.g., XDR, SIEM, and SOAR software).
Entities will also need to establish business continuity and disaster recovery plans for various cyber risk scenarios, such as ICT service failures, natural disasters, and cyberattacks. These plans must include data backup and recovery measures, system restoration processes, and plans for communicating with affected clients, partners, and authorities.
RTSs specifying the required elements of an entity’s risk management framework are forthcoming. Experts believe they will be similar to the existing EBA guidelines on ICT and security risk management (link resides outside networkgate.lt).
Covered entities must establish systems for monitoring, managing, logging, classifying, and reporting ICT-related incidents. Depending on the severity of the incident, entities may need to make reports to both regulators and affected clients and partners. Entities will be required to file three different kinds of reports for critical incidents: an initial report notifying authorities, an intermediate report on progress toward resolving the incident, and a final report analysing the root causes of the incident.
The rules on how incidents should be classified, which incidents must be reported, and timelines for reporting are forthcoming. ESAs are also exploring ways to streamline reporting by establishing a central hub and common report templates.
Digital operational resilience testing
Entities must test their ICT systems regularly to evaluate the strength of their protections and identify vulnerabilities. The results of these tests and plans for addressing any weaknesses they find will be reported to and validated by the relevant competent authorities.
Entities must carry out basic tests, like vulnerability assessments and scenario-based testing, once a year. Financial entities judged to play a critical role in the financial system will also need to undergo threat-led penetration testing (TLPT) every three years. The entity’s critical ICT providers will be required to participate in these penetration tests as well. Technical standards on how TLPTs should be carried out are forthcoming, but they’re likely to align with the TIBER-EU framework (link resides outside ibm.com) for threat intelligence-based ethical red-teaming.
Third-party risk management
One unique aspect of DORA is that it applies not only to financial entities but also to the ICT providers that service the financial sector.
Financial firms are expected to take an active role in managing ICT third-party risk. When outsourcing critical and important functions, financial entities must negotiate specific contractual arrangements regarding exit strategies, audits, and performance targets for accessibility, integrity, and security, among other things. Entities will not be allowed to contract with ICT providers who cannot meet these requirements. The competent authorities are empowered to suspend or terminate contracts that don’t comply. The European Commission is exploring the possibility of drafting standardised contractual clauses that entities and ICT providers can use to ensure their agreements comply with DORA.
Financial institutions will also need to map their third-party ICT dependencies, and they’ll be required to ensure their critical and important functions are not too heavily concentrated with a single provider or small group of providers.
Critical ICT third-party service providers will be subject to direct oversight from relevant ESAs. The European Commission is still developing the criteria for determining which providers are critical. Those that meet the standards will have one of the ESAs assigned as a Lead Overseer. In addition to enforcing DORA requirements on critical providers, Lead Overseers will be empowered to forbid providers from entering into contracts with financial firms or other ICT providers that don’t comply with the DORA.
Financial entities must establish processes for learning from both internal and external ICT-related incidents. Toward that end, the DORA encourages entities to participate in voluntary threat intelligence sharing arrangements. Any information shared this way must still be protected under the relevant guidelines—e.g., personally identifiable information (PII) is still subject to GDPR considerations.