What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act (DORA) is a recent European Union regulation that aims to strengthen digital resilience and cybersecurity in the financial sector. Its main objective is to ensure that financial institutions provide secure and reliable digital services and that the financial sector in Europe continues to function resiliently in the event of a serious operational disruption. A regulation that responds to the increasing proliferation of cyber-attacks targeting the European financial sector.

Innovation and improvement of the rules already in place, as well as standardization of the incident reporting model is one of the main objectives of DORA which will be fully applicable in a few months, starting January 17, 2025.

Strengthening operational resilience within the financial sector to ensure business continuity during a cyber-attack is one of the main objectives of this law. But DORA also obliges providers of critical ICT systems to adapt to this regulation. Third-party compliance will be assessed through inspections by the European Banking Authority (EBA), or the European Securities and Markets Authority (ESMA) or the European Insurance and Occupational Pensions Authority (EIOPA).

Which companies are affected by DORA?

Any financial institution offering financial services in the European Union must comply with the standard:

Financial services industry.
Investment companies.
Credit rating agencies.
Financial system providers.
Cryptoasset service providers.
Crowdfunding service providers.
Financial intermediation agencies.
Fintech.

What are the main requirements of DORA?

ICT risk management

This first requirement seeks that financial institutions follow an ICT risk management framework and takes into account the guidelines of the European Banking Authority (EBA) on Technological Risks.

Each company must have a comprehensive and effective risk management system in place to identify, assess, monitor and control the risks associated with its digital operations to ensure business continuity.

ICT Incident Reporting

This will be done through notification templates that will be sent to the competent authority within a maximum period of one month after the incident, which allows for a centralization that facilitates the detection of trends.

Digital operational resilience testing

Threat-based resilience testing is the main focus here. Annual testing of all critical ICT systems and applications (vulnerabilities, code analysis, performance, capacity...) as well as advanced threat-specific testing of critical functions and services.

Information and intelligence sharing agreements

The exchange of information is one of the key points of this regulation on cyber-attacks as it raises awareness of new threats affecting the financial sector, minimizes their spread, supports defensive capabilities and threat detection techniques.

ICT-related risk management derived from third parties

DORA extends the perimeter to all high-risk providers and therefore financial institutions will be required to develop an information registry that reflects a complete view of all ICT services and report any changes annually.

From what age must DORA be complied with?

DORA is just around the corner and, from the time the legislation was passed on January 16, 2023, a 2-year implementation period began and is about to end as the rule comes into effect on January 17, 2025.

Do you need to comply with DORA? Ask us how to do it!