The rise of information and communication technology (ICT) has transformed the way modern businesses operate, particularly in the financial services sector. However, as businesses become increasingly reliant on digital systems, the risk of cyber threats also grows. Recognising these challenges, the European Commission developed the Digital Finance Strategy in 2020, which ultimately led to the enactment of the Digital Operational Resilience Act (DORA). This legislation aims to bolster the digital operational resilience of financial entities across the European Union (EU).
What is DORA?
DORA establishes a harmonised framework to manage ICT risks within the financial sector. The legislation requires financial institutions to ensure they can withstand and recover from ICT-related disruptions. Given the interconnected nature of the financial system, the stability of the sector depends on robust digital resilience.
Although DORA became effective on January 16, 2023, its provisions will be enforced starting January 17, 2025. By this time, financial institutions are expected to comply with its requirements, with additional technical standards being rolled out in the interim.
Scope of Application
DORA applies to a broad range of EU-regulated financial entities, including:
- Credit institutions
- Payment institutions
- Insurance and reinsurance companies
- Investment firms
- Credit rating agencies
- ICT third-party service providers such as cloud computing and data centre providers
The legislation also extends to “critical” ICT third-party service providers, defined as entities whose failure could have a systemic impact on the stability or continuity of financial services.
DORA’s Five Core Pillars
1. Governance and Organization
Financial entities must establish internal governance structures to manage ICT risks.
This involves creating policies to safeguard the availability, confidentiality, and integrity of data. Management must oversee ICT risk strategies, ensuring that appropriate roles, policies, and reporting channels are in place.
2. ICT Risk Management
A comprehensive risk management framework is required to document how ICT assets are protected, and operational continuity is maintained. Financial institutions must regularly review their risk management strategies and update them based on new incidents or regulatory requirements.
3. Incident Management and Reporting
Entities must establish a process to manage and report ICT-related incidents. These incidents, which may compromise security or disrupt services, must be recorded, classified, and reported to the relevant regulator if they affect critical functions.
4. Operational Resilience Testing
Regular testing is crucial for assessing a financial entity’s ability to handle ICT disruptions. Risk-based testing, including threat-led penetration testing, must be conducted every three years to simulate real-world cyberattacks.
5. Third-Party Risk Management
Financial institutions must manage the risks posed by third-party ICT service providers, especially those supporting critical functions. This includes conducting due diligence before entering contracts and ensuring compliance with specific contractual provisions as outlined in DORA.
Oversight of Critical ICT Providers
Articles 31-35 of DORA establish a framework for overseeing critical ICT third-party providers. The European Supervisory Authorities shall admit such providers based on factors like their systemic impact on financial stability and the difficulty of replacing them in the event of failure. These providers will be subject to scrutiny and may face corrective action if they fail to address identified risks.
Suggested Key Actions for Compliance
To meet DORA’s operational resilience requirements, companies can consider the following steps as a part of their compliance:
- Develop an internal governance framework for managing ICT risks.
- Assess current ICT risk management practices against DORA’s detailed requirements.
- Implement an action plan to continuously improve digital resilience, including regular staff training and updating response strategies for ICT-related incidents.
By proactively addressing these areas, financial institutions will be well-prepared to comply with DORA’s stringent standards and maintain the resilience of their digital operations.
Disclaimer: Nothing in this article constitutes legal advice or educational materials. This article reflects the writer’s personal understanding of the law and how it operates.