Digital Operational Resilience Act (DORA)

Enacted by the European Union, this regulation is aimed at enhancing the digital operational resilience of financial entities within the EU. DORA aims to ensure that financial entities, such as banks, insurance companies, and investment firms, are resilient to severe operational disruptions caused by IT incidents and cyberattacks.

‍

It was officially adopted in January 2023 and will be fully applicable in law as of January 17th, 2025. Penalties for non-compliance will amount to 1% of the provider's average daily worldwide turnover in the previous business year. Providers can be fined daily for up to six months until they achieve compliance and in some cases, non-compliance with DORA may lead to criminal penalties, depending on the severity of the breach and the legal framework of the respective EU member state.

‍

Comprehensive ICT Risk Management

The regulation mandates that financial institutions implement robust ICT (Information and Communication Technology) risk management frameworks. This includes continuous risk assessments, business impact analyses, and the implementation of cybersecurity measures such as identity and access management, patch management, and security information and event management (SIEM) systems.

‍

1. Incident Reporting and Response

DORA requires entities to establish systems for monitoring, managing, and reporting ICT-related incidents. This includes a structured approach to logging, classifying, and reporting incidents to relevant authorities and stakeholders.

‍

2. Third-Party Risk Management

The regulation also covers third-party ICT service providers, requiring financial entities to actively manage and mitigate risks associated with these providers. This includes conducting due diligence, negotiating specific contractual terms, and ensuring that providers comply with the regulatory standards.

‍

3. Digital Operational Resilience Testing

Financial entities must conduct regular testing of their ICT systems to identify vulnerabilities. This includes basic tests like vulnerability assessments and more advanced threat-led penetration testing for critical systems.

‍

Who does DORA apply to?

‍

DORA applies not only to traditional financial institutions but also to a broader range of entities including crypto-asset service providers, payment institutions, trading venues, and more. This broad scope ensures that the entire financial ecosystem within the EU is covered under the same regulatory framework.

‍

Why is it important?

‍

DORA is crucial because it establishes a comprehensive regulatory framework aimed at enhancing the cybersecurity and operational resilience of financial institutions within the EU. By mandating robust ICT risk management, regular resilience testing, and stringent oversight of third-party service providers, DORA ensures that financial entities can withstand and recover from cyber threats and operational disruptions. This coordinated approach not only mitigates risks but also promotes a unified and secure financial environment, bolstering trust and stability in the increasingly digitalised financial sector.

‍

‍Start your journey to DORA operational resilience today, speak to one of our experts.