What is the Digital Operational Resilience Act (DORA)? [2024]

As the digital landscape continues to evolve, protecting systems against fraud and cyber threats becomes crucial. Recognising this, the European Commission proposed a new regulatory framework for digital risk management in the financial sector.  

Meet DORA, the Digital Operational Resilience Act, aiming to establish a framework for managing and preventing ICT risk for financial services providers. By 17 January 2025, financial entities and their critical third-party technology service providers must comply with these technical standards in their ICT systems. 

Here’s a breakdown of what DORA is and how it affects financial services providers in the EU.

The purpose of DORA

The financial sector increasingly relies on digital systems to deliver services, depending on ICT (information and communication technologies) tools. To prevent fraud and protect sensitive information, financial services providers need to ensure their digital solutions are safe and compliant. 

With DORA, the EU aims to establish a universal regulation framework to mitigate risks associated with cyber threats and operational disruptions within the financial industry. By setting clear standards for operational resilience, incident reporting, and cross-border cooperation, DORA aims to enhance trust, stability, and security in financial services across the EU. This framework is pivotal for financial sector digital resilience under DORA. 

What is DORA?

DORA, the Digital Operational Resilience Act, entered into force on 16 January 2023 and will apply from 17 January 2025, giving financial entities and third-party ICT service providers until then to comply with its requirements. Implementing Digital Operational Resilience Act compliance strategies is critical for meeting this deadline. 

The DORA regulation applies to financial services providers in the EU, including traditional financial entities like banks, insurance companies, and credit institutions, as well as non-traditional entities like crowdfunding platforms and providers of crypto-asset services. Notably, it also encompasses certain entities typically outside the scope of financial regulations, such as third-party service providers that supply financial firms with ICT systems and services, like cloud service providers and data centres. Understanding the EU DORA regulation impact on ICT providers is essential for these entities. 

Key components of DORA (Digital Operational Resilience Act)

The DORA regulation includes technical requirements across five key components:

• ICT risk management and governance: DORA makes financial entities responsible for ICT management. Organisations are expected to define appropriate risk management strategies, actively assist in executing them, and stay current on their knowledge of the ICT risk landscape. Adhering to DORA ICT risk management requirements is a fundamental aspect of this component. 
• Incident management, response and reporting: Financial services providers must set up an ICT-related incident management process and develop the necessary abilities to monitor, manage, log, classify, and report these incidents. 
• Digital operational resilience testing: Entities must regularly test their ICT systems to evaluate the strength of their protections and identify vulnerabilities. Critical ICT systems and applications are required to undergo yearly testing, and certain financial entities must conduct advanced threat-led penetration testing at least once every three years.
• Third-party risk management: Financial institutions are required to take an active role in and establish a strategy for managing third-party risk. They must also keep a record of all contractual agreements with ICT third-party service providers in a dedicated Register of Information.
• Information-sharing arrangements: Financial institutions are permitted to establish processes for exchanging cyber threat information and intelligence and learning from these ICT-related incidents.  

It’s worth noting that key details of the DORA ICT risk management requirements are still under development by the European Supervisory Authorities (ESAs). The ESAs, which oversee the EU financial system, include The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA). These standards are expected to be finalised in 2024. 

Why DORA compliance matters to financial services providers 

Compliance with the Digital Operational Resilience Act (DORA) is crucial for financial services providers across the EU. Here are some reasons why DORA compliance matters:

• Enhanced cybersecurity: DORA focuses on preventing cyber threats within financial institutions. Implementing these standards enables firms to safeguard sensitive customer data and financial transactions from malicious attacks effectively.  
• Customer trust and loyalty: Compliance with DORA can foster stronger customer relationships, as it ensures secure handling of customers’ data.  
• Risk reduction: DORA emphasises proactive ICT risk management, obligating organisations to identify, assess, and mitigate risks associated with their digital operations. This approach reduces the likelihood of operational failures and financial losses due to ICT-related incidents.
• Regulatory compliance: Compliance with DORA ensures adherence to EU regulatory requirements. Non-compliance can lead to fines and reputational damage.

Conclusion

DORA is a proactive step towards protecting the financial sector against the escalating risks of digital transformation, and preparing for DORA regulatory standards is essential. By leveraging Digital Operational Resilience Act compliance strategies and understanding the EU DORA regulation impact on ICT providers, financial institutions can navigate the complex landscape of digital resilience with confidence. Ensuring compliance with DORA ICT risk management requirements and preparing for DORA regulatory standards will be key to achieving robust financial sector digital resilience under DORA. 

By establishing clear standards for cybersecurity and operational resilience, it ensures that financial institutions can effectively handle cyber threats and operational disruptions. As the compliance deadline approaches, financial entities and their ICT service providers should begin their preparations immediately. Doing so will not only enhance their security but also contribute to a more stable and reliable financial ecosystem.