Digital Operational Resilience Act (DORA)

We like to discuss the 5 primary areas which DORA focusses on:

  • ICT risk management (Chapter II DORA): Financial entities need to have a framework in place setting principles and requirements on ICT risk management, including a business continuity policy and a disaster recovery procedure. When distributing resources and capabilities for the implementation of the ICT risk management framework, financial entities need to balance their ICT-related needs to their size and overall risk profile, and the nature, scale, and complexity of their operations. The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to adequately protect all information assets and ICT assets from risks including damage and unauthorized access or usage.
  • ICT-related incident management, classification, and reporting (Chapter III DORA): Financial entities need to define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. They need to establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling, and follow-up of ICT-related incidents, to ensure that root causes are identified, documented, and addressed to prevent the occurrence of such incidents.
  • Digital operational resilience testing (Chapter IV DORA): Financial entities need to establish, maintain, and review a comprehensive digital operational resilience testing program, including a range of assessments, tests, methodologies, practices and tools for the testing and advanced testing of the ICT tools, systems and processes based on threat-led penetration testing.
  • Managing of ICT third-party risks (Chapter V DORA): Financial entities need to manage ICT third-party risks as an integral component of ICT risk within their ICT risk management framework. This entails that, among other things, contracts in relation to the provision of ICT services will be required to contain certain key contractual provisions. The management of ICT third-party risks need to be implemented considering the nature, scale, complexity, and importance of ICT-related dependencies.
  • Information-sharing arrangements (Chapter VI DORA): Financial entities may, under certain circumstances, exchange amongst themselves cyber threat information and intelligence. The sharing arrangement needs to be in accordance with the GDPR, take place within trusted communities of financial entities and aim to enhance the digital operational resilience of financial entities.

In addition to the DORA, Regulatory Technical Standards are being published by the EBA, EIOPA and ESMA to ensure the consistent harmonization of the requirements laid down in DORA. Financial entities which are under the scope of DORA need to take these into account when implementing DORA.

On 27 December 2022, DORA was published in the Official Journal of the EU. It entered into force on 16 January 2023 and will apply as of 17 January 2025.