What is the EU Digital Operational Resilience Act (DORA)?

ComplianceJuly 17, 2024 | 6 minutesBy Mikkel Oxfeldt

The Digital Operational Resilience Act (DORA) is a regulatory framework enacted by the European Union aimed at increasing the cyber resilience of financial services institutions. Effective from January 17, 2025, DORA (EU regulation 2022/2554) mandates that financial organizations within the EU enhance their operational resilience against disruptions such as cyberattacks, emphasizing recovery and continuity over traditional detect-and-protect methods.

By mandating stringent standards for information and communication technology (ICT) risk management, incident reporting, resilience testing, and third-party service provider oversight, DORA will ensure that the financial sector in Europe can maintain business continuity during and after serious operational disruptions. 

Who must comply with DORA standards? 

Under DORA, a wide range of financial entities — including banks, insurance firms, investment companies, cryptocurrency exchanges, trading platforms, and other critical service providers — must comply with rigorous standards to ensure operational stability. This comprehensive regulation spans organizational, technical, operational, and people-related aspects.

This regulation necessitates comprehensive changes in how financial institutions approach ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing. By integrating these elements into their operational strategies, organizations can better prepare for and mitigate the impacts of potential cyber threats, thereby maintaining the stability and integrity of the financial system across the EU.

DORA represents a significant shift towards a more resilient and secure financial sector, encouraging proactive measures and collaborative efforts to combat cyber threats effectively.

5 key DORA regulation requirements, with relevant chapters and articles 

  • ICT risk management: Chapter II, Articles 5 to 16 
  • Incident reporting: Chapter III, Articles 17 to 23 
  • Resilience testing: Chapter IV, Articles 24 to 27 
  • Third-party risk management: Chapter V, Articles 28 to 44 
  • Information sharing: Chapter VI, Article 45 

  

The DORA framework is structured around five primary pillars spanning articles and chapters of the regulation in the Official Journal of the EU. Reference this resource to read more about the specific articles.

The regulation’s objectives for strengthening EU financial entities are achieved through:

1. ICT risk management: This pillar emphasizes the development of a comprehensive ICT risk management framework. This framework should encompass strategies, policies, procedures, protocols, and tools necessary, including backup and restore procedures, for safeguarding ICT systems. The management body, typically the board of directors, holds the responsibility for this framework. Although the bulk of DORA requirements falls under IT teams, the risk management function must integrate these requirements into the overall risk management strategies of the company. 

2. ICT-related incident management and reporting: This component requires firms to classify and report all significant ICT-related incidents to the appropriate supervisory authorities. A "major" incident is defined as one that significantly impacts the network and information systems supporting critical or important functions of the entity. Firms must provide an initial notification, an interim progress report, and a final report analyzing the incident's root causes. This standardization aims to improve incident response and management processes.

3. Operational resilience testing: Annual testing of ICT systems is mandated to evaluate the effectiveness of a firm's digital operational resilience. These tests should include gap analyses and vulnerability assessments. Larger organizations must conduct threat-led penetration testing (TLPT) every three years. While many companies already perform some level of resilience testing, DORA sets specific requirements that may necessitate changes to existing practices.

4. Third-party risk management: Integrating third-party risk management into the company's ICT risk framework is essential. Financial entities must thoroughly assess potential ICT service providers before entering into contractual agreements. This involves ensuring that contracts address the use of ICT systems or processes critical to important functions, comply with supervisory requirements, and identify and mitigate associated risks. Additionally, firms must maintain a detailed register of all contractual agreements related to ICT services.

5. Information sharing: DORA encourages, but does not mandate, the sharing of cyberthreat information and intelligence among financial entities. This sharing should occur within trusted communities and be formalized through structured arrangements. Any shared information must be reported to the relevant supervisory authorities, promoting a collaborative approach to enhancing digital operational resilience.

How DORA impacts the financial sector of the European Union 

 

DORA significantly reshapes cybersecurity for the European financial sector, introducing strict measures to enhance operational resilience and ensure robust protection against cyberthreats:

  • Enhanced cybersecurity and resilience: DORA mandates that financial entities implement robust cybersecurity measures to ensure their systems can withstand and recover from cyber threats and incidents. This includes regular testing, incident reporting, and continuous monitoring to identify vulnerabilities and mitigate risks promptly.

  • Standardization across member states: By establishing uniform requirements for digital operational resilience, DORA eliminates discrepancies between national regulations. This harmonization ensures a level playing field for financial institutions operating across different EU countries, facilitating smoother cross-border operations and compliance.

  • Third-party risk management: DORA emphasizes the need for financial entities to manage risks associated with third-party ICT service providers. This includes rigorous due diligence, contractual arrangements, and continuous oversight of third-party services to ensure they meet the required resilience standards.

  • Regulatory oversight and reporting: The regulation introduces stringent reporting requirements for significant ICT-related incidents. Financial entities must report such incidents to the relevant authorities within a specific timeframe. This improves transparency and allows regulators to monitor and respond to systemic risks more effectively.

  • Operational resilience testing: Financial institutions are required to conduct regular operational resilience testing, including advanced threat-led penetration testing (TLPT). This helps in identifying and addressing weaknesses in their ICT infrastructure before they can be exploited by malicious actors.

  • Governance and control: DORA places a strong emphasis on governance, requiring financial entities to establish comprehensive ICT risk management frameworks. This involves the appointment of senior-level responsibility for overseeing digital operational resilience and ensuring that ICT risk management is integrated into the overall risk management framework of the institution.

  • Increased accountability: The regulation increases the accountability of financial institutions and their management. By stipulating clear roles and responsibilities for managing digital operational resilience, DORA ensures that senior management and boards of directors are directly accountable for their organization's cybersecurity posture.

  • Consumer protection: By enhancing the resilience of financial institutions, DORA indirectly protects consumers from the fallout of cyber incidents, such as data breaches and service disruptions. This fosters greater trust in the financial system and ensures the stability and integrity of financial services.

  • Innovation and competition: While DORA imposes stringent requirements, it also encourages innovation by fostering a secure environment where financial technology (fintech) firms and traditional financial institutions can thrive. By providing clear guidelines, DORA helps fintech firms navigate the regulatory landscape, thus promoting healthy competition and innovation in the financial sector.

  • Compliance and penalties: Non-compliance with DORA can lead to significant penalties, potentially reaching up to 2% of an entity's total annual global turnover. The severity of the fine will correlate with the seriousness of the breach and the institution's level of cooperation with regulatory authorities. Financial entities must therefore invest in compliance programs, which may involve substantial initial costs but ultimately lead to a more secure and resilient operational environment.

DORA represents a comprehensive approach to enhancing the digital operational resilience of the financial sector in the EU. It ensures that financial institutions are better prepared to tackle cyberthreats and operational disruptions, thereby maintaining the stability and integrity of the financial system. By harmonizing regulations across member states and emphasizing robust risk management practices, DORA not only safeguards financial entities but also bolsters consumer confidence and fosters innovation in the financial sector.

Additional DORA regulation resources, such as the status of DORA implementation, can be found via the European Banking Authority. 

Author

Mikkel Oxfeldt is General Counsel, Attorney-at-law at Keepit. He started his career in private practice in 1999 advising IT-services providers and Telecoms and has been individually named in Legal 500. Later moved inhouse having various roles ranging from medium-sized scaleups to large, listed businesses. Mikkel has built the legal department at Keepit with the mantra of providing commercially sound legal advice in a timely fashion. Mikkel joined Keepit in 2020 together with the A-round funding from One Peak Partners.