Digital Operational Resilience Act (DORA): The 7 Most Important Questions

4. July 2023

The Digital Operational Resilience Act (DORA) is a major regulatory development that aims to improve the operational resilience of digital financial sector systems in the European Union (EU). In this post, we answer the most frequently asked questions about DORA: from the need and implications to compliance requirements.

  1. What is the Digital Operational Resilience Act (DORA)?
  2. What are the most important requirements?
  3. How will DORA affect the European financial sector?
  4. How does DORA relate to other existing regulations and policies?
  5. How long do financial institutions have to implement the DORA regulations?
  6. How should financial institutions respond to DORA?
  7. Why were third party providers included in the scope of the DORA regulation?

1. What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act, or DORA, is a regulation (Regulation (EU) 2022/2554) introduced by the European Commission to close existing regulatory gaps for the entire European financial sector. DORA adds rules for handling ICT-related incidents, improving the operational resilience of financial sector digital systems. Prior to its introduction, financial institutions managed their operational resilience primarily through capital allocation, but there was a need for a comprehensive framework for managing all components of operational resilience. DORA recognizes that ICT incidents and a lack of resilience can have serious consequences for the stability of the financial system, even when there is sufficient capital for traditional risk categories.

2. What are the most important requirements?

DORA imposes several requirements on financial institutions to improve their digital resilience. These requirements include:

  • ICT risk management: Financial institutions must establish and maintain effective ICT risk management frameworks, policies, and procedures to identify, assess, manage, and mitigate ICT-related risks.
  • Incident Reporting: Institutions are required to report significant ICT-related incidents to the relevant authorities without delay to enable a coordinated response and analysis of potential systemic risks.
  • Operational resilience testing: regular testing and assessment of institutions' operational resilience is mandatory to ensure that they can effectively detect, mitigate, recover from, and resolve ICT-related incidents.
  • Monitoring third-party ICT risks: Financial institutions must monitor and manage risks associated with third-party providers, such as cloud providers, and ensure that their digital resilience measures are also in line with DORA requirements.

3. How will DORA affect the European financial sector?

DORA will have a significant impact on financial institutions operating in the EU. Compared to the two existing EBA guidelines (Guidelines on ICT and Security Risk Management and Guidelines on Outsourcing), DORA regulates a larger number and further forms of financial firms. It applies not only to credit institutions, insurance companies and investment firms, but equally to payment institutions, capital management companies, crypto service providers, credit rating agencies and ICT service providers.

All regulated financial institutions and their third-party ICT providers must adapt their governance, risk management, and operational practices to comply. The regulation sets a higher standard for operational resilience and cyber security, ensuring that financial institutions are better equipped to withstand and recover from ICT-related incidents. DORA compliance will require significant investments in technology, processes and resources.

4. How does DORA relate to other existing regulations and policies?

DORA is designed as a "lex specialis" and will supersede any overlapping regulatory texts such as the Network and Information Systems (NIS) Directive or the overlapping parts of the European Supervisory Authorities' guidelines. Financial institutions should use DORA as the main reference point for their compliance efforts to avoid unforeseen gaps when the regulation comes into force.

5. How long do financial institutions have to implement the DORA regulations?

DORA gives financial institutions a two-year preparation period (2023 and 2024) to align their governance and practices with the regulation's resilience pillars and develop a roadmap for implementation. The regulation is expected to come into force in early 2025, with mandatory reporting, assessment and testing to be completed by then.

6. How should financial institutions respond to DORA?

Financial institutions should proactively prepare for the implementation of DORA by taking the following steps:

  • Perform a gap analysis: Assess your organization's current maturity level in terms of governance, risk management, and compliance with existing policies and standards.
  • Develop a roadmap: Identify the priorities and efforts required to meet DORA requirements and create a robust strategy for operational resilience of digital systems.
  • Align governance and practices: Ensure that the institution's governance and operational practices align with the pillars of resilience outlined in DORA.
  • Monitor regulatory updates: Keep abreast of new regulatory technical standards (RTS) and implementing technical standards (ITS) that may be established by regulators during the implementation period.

7. Why were third party providers included in the scope of the DORA regulation?

Ongoing digitalization and the constantly evolving state of the art are leading financial institutions to outsource relevant core processes to third-party ICT providers, such as cloud service providers. Security gaps or weaknesses in processes of these providers can pose a direct risk to the resilience of institutions. It is therefore all the more important that the resilience of the service providers is as securely positioned as that of the institutions themselves.

Although critical third-party ICT providers fall within the scope of DORA, full responsibility for outsourced services and processes remains with the institutions themselves. Therefore, an appropriate risk assessment must be carried out prior to outsourcing and on a regular or ad hoc basis. In addition, institutions should regularly ensure, for example through an audit, that their third-party providers fully comply with the requirements of the DORA regulation.


Do you need support with gap analysis or a harmonization project in your company? We are happy to help!

View the Digital Operational Resilience Act here: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554&qid=1673554022989

Also interesting:

DORA Countdown: One Month Left Until the Deadline

DORA Countdown: One Month Left Until the Deadline

DORA, the Digital Operational Resilience Act, will fully apply as of 17 January 2025. We have summarized everything you need to know about the EU regulation, preparation and best practices from our news blog.

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

Sunset of PCI DSS v4.0 on 31 December 2024: Get Ready!

PCI DSS v4.0: In March 2024, version 4.0 of the Payment Card Industry Data Security Standard became mandatory after a two-year transition phase. Just a few months later, version 4.0.1 was released as a minor update of the standard, which will become mandatory on...

Top 3 Vulnerabilities in SSO Pentests

Top 3 Vulnerabilities in SSO Pentests

During their penetration tests (pentests), our security analysts at usd HeroLab repeatedly uncover vulnerabilities that pose significant risks to corporate security. They increasingly encounter the same vulnerabilities. Our blog series "Top 3 Vulnerabilities" presents...

Categories

Categories