Understanding the Digital Operational Resilience Act (DORA) 

The Digital Operational Resilience Act, known as DORA, is an EU regulation that entered into force on January 16th, 2023, and will apply from January 17th, 2025.

DORA aims to strengthen the digital operational resilience of the financial sector in the face of digital transformation and heightened cybersecurity threats. It is the first piece of legislation that provides a comprehensive digital operation framework for financial entities on an EU level.  

What sectors does DORA apply to?

Once DORA applies in January 2025, all financial entities operating within the EU must fully comply with its measures. This includes traditional financial entities such as banks, investment firms, and credit institutions and non-traditional entities such as crypto asset service providers and crowdfunding platforms. It will also apply to ICT providers who service the finance sector.

What are the requirements? 

DORA regulates risk management associated with increased digitalization of the financial sector. The legislation covers five main areas:  

1. ICT Risk Management:  All financial entities must assess their IT risk landscape and establish a governance structure that oversees and directs all activities related to ICT risk management.  
    

2. ICT Incident Management:  Companies within the financial sector must establish a process for managing ICT-related incidents and reporting major incidents and cyber threats to the relevant authorities.  
    

3. Digital Operational Resilience Testing: Businesses must conduct regular testing on threat-led penetration testing (TLPT) to assess the operational stability and security of critical IT systems and to detect and resolve any potential ICT disruptions.  

4. Third Party Management: ICT third-party risk is an integral part of DORA’s risk management framework, and it requires financial entities to have a strategy to manage and periodically evaluate the risk. They must also keep a record of all contracts with IT service providers in a Register of Information.   
    

5. Information Sharing: DORA reinforces the legal grounds for information sharing arrangements on cyber threat information and intelligence. Financial institutions will be permitted to exchange cyber threat information and intelligence with one another as long as it takes place within trusted communities and is in compliance with relevant legislation.   

How will DORA be enforced?

From January 2025, DORA will be enforced through a two-pronged approach:  

• Competent Authorities: Each EU state's designated regulators, known as “competent authorities”, will oversee compliance. These authorities have the power to request specific security measures and impose administrative or criminal penalties on non-compliant entities.  
• European Supervisory Authorities (ESAs): ESAs will directly supervise ‘critical’ ICT third-party service providers and have the authority to levy substantial fines for non-compliance. 

How can you prepare for DORA compliance? 

You can take many steps to ensure your business is fully compliant by the January 17th deadline.  

1. Asses your current IT infrastructure: Conduct a gap analysis to understand your infrastructure’s current strengths and weaknesses and identify gaps between DORA’s requirements and your existing ICT risk management practices.  
    

2. Develop a compliance roadmap: Establish a clear and phased plan to integrate DORA’s requirements into your infrastructure, prioritizing based on risk, complexity, and available resources.  
    

3. Enhance ICT risk management: Start by establishing clear governance, roles, and responsibilities for ICT risk management. International standards such as ISO 27001 play a crucial role in achieving compliance and are aligned with DORA requirements.  
    

4. Strengthen incident management and reporting: Develop clear incident management and reporting procedures, including detection, classification, escalation, and response.  
    

5. Improve digital operational resilience testing: Incorporate threat-led penetration (TLPT) strategies, which cover all critical systems and processes, including those reliant on third-party providers.  
     

6. Optimize third-party risk management: It is crucial to ensure your providers also comply with DORA’s requirements. Conduct due diligence on all existing and potential partners to assess their resilience and compliance and renegotiate any contract to cover the mandatory provisions of DORA. 
                                                                                      

7. Prepare employees: Brief all employees, from the board to front-line employees, on DORA’s requirements, allocate necessary resources to provide adequate training, and encourage a culture of transparency and collaboration to continuously improve the management of ICT risks and incidents.  

Final Thoughts:  

DORA promises to harmonize regulation on digital operational resilience on an EU-wide level by creating a binding, comprehensive ICT risk management framework. It represents a milestone in the EU’s effort to fortify the financial sector against the growing threat of ICT disruptions. DORA's collaborative nature, emphasizing information sharing and collective resilience, presents an opportunity for the financial sector to strengthen its defenses against common threats.   

Compliance is not a once-off activity but an ongoing activity that requires commitment, adaptability, and a proactive approach to risk management. 

Knowledge Exchange is here to help you develop your roadmap and connect you to the suppliers you need. Get in touch to learn more about how we can support you in your compliance journey.