Digital Operational Resilience Act (DORA)

On 16 January 2023, the Digital Operational Resilience Act (DORA) entered into force

Today, information and communication technology (ICT) plays a vital role in the financial industry and the volume of data processed every day ever increases – with no end in sight. The regulatory landscape that addressed operational resilience with respect to services provided and regulatory compliance for financial entities in Europe was until the entry into force of DORA very heterogenous. Banking institutions were for example facing much higher regulatory standards on paper than other financial entities such as Management Companies, Alternative Fund Managers and Insurance Companies.

Background

As of January 2025 around 22,000 of EU regulated financial entities (e.g. banks, insurance companies, management companies, AIFMs, PSF (expected)) are required to comply with uniform regulatory standards that have two main objectives:

Build, assure and review the operational integrity of the service and operating model to ensure the continued provision of (the quality of) the financial services including throughout disruptions; and
Limit the risk of contagion within the EU financial system by prescribing a harmonised minimum standard of digital operational resilience.

What is digital operational resilience?

DORA introduces a five-pillar framework of ICT risk management; incident reporting; digital operational resilience testing; third-party risk management; and information sharing. Through this digital operations framework, DORA will help firms ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.

ICT risk management

Under DORA, the management body is responsible for defining, approving and implementing a comprehensive ICT risk management framework. The framework should include a digital operational resilience strategy and the methods used to manage ICT and cyber risk and meet objectives by:

explaining how the framework supports the business strategy and its objectives;
establishing the tolerance level for ICT risk and analysing the impact of ICT disruptions;
setting out clear information regarding security objectives;
outlining the different mechanisms in place to detect, protect and prevent the impacts of ICT-related incidents;
defining a holistic ICT multi-vendor strategy at the entity level, highlighting key dependencies on ICT third-party service providers and explaining the rationale behind the mix of third-party service providers; and
reviewing the ICT risk management of third parties as it relates to the services provided.

ICT and cyber-related incident management

DORA requires financial entities to have an ICT-related incident management process that:

establishes procedures to identify, track, log, categorise and classify ICT-related incidents according to the priority, severity and criticality of services impacted;
assigns roles and responsibilities that need to be activated for different ICT- related incident types and scenarios;
sets out plans for communication to staff, external stakeholders and media, and for notifications to clients and counterparts as appropriate;
ensures that major ICT-related incidents are reported to relevant senior management and that the management body is informed of major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of ICT-related incidents; and
establishes ICT-related incident response procedures to mitigate the impacts and ensure that services become operational and secure in a timely manner.

Digital operational resilience testing

DORA requires all entities to implement a sound and comprehensive digital operational resilience testing programme. It should:

take a risk-based approach, accounting for the evolving landscape of ICT and cyber risks, any specific threats to which the financial entity is — or might be — exposed, the criticality of information assets and services provided and so on;
ensure that tests are undertaken by independent parties (internal or external);
identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps; and
ensure that all critical tools and applications are tested at least annually.
Threat-led penetration testing is explicitly required by DORA, which includes requirements for the entity that extend to ICT/critical third-party service providers. The competent authorities must validate the scope of this testing.

ICT third-party risk management

DORA requires financial entities to manage ICT third-party risk as an integral component within their ICT risk management framework and in accordance with the principles defined. These principles include the following:

The principle of proportionality when managing risk, taking into account the scale, complexity and importance of ICT-related dependencies; and the risks arising from contractual arrangements, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and quality of financial services and activities at individual and group levels;
Adopt an ICT third-party risk strategy and review it regularly; and
The principle that financial entities shall maintain and update at the entity, sub-consolidated and consolidated levels a register of information concerning all contractual arrangements with ICT third-party service providers.

Critical third-party providers

DORA introduces an oversight framework for critical ICT third-party providers (CTTP), outlining specific criteria for designating a third-party as critical. CTPPs will be charged a fee to cover oversight costs. The oversight framework includes the provision of a ‘lead overseer’ for each CTPP, who will have the power to:

conduct general investigations and inspections and request documentation;
request reports after the completion of oversight activities specifying the remediation actions taken;
address recommendations towards ICT CTPPs on, for example, the use of conditions and terms to minimise possible systemic impact;
impose a periodic penalty payment to compel the CTPP to comply (a daily penalty of 1% of the prior year’s turnover for a maximum of six months); and
request the termination of contractual arrangements with relevant firms if a CTTP opposes an inspection.

Information-sharing

DORA encourages financial entities to exchange among themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing enhances the digital operational resilience of financial entities and is implemented through arrangements that protect the potentially sensitive nature of the information shared. The information-sharing arrangements should also define the conditions for participation, and financial entities must notify the competent authorities of their involvement in such information-sharing arrangements.

Technical standards

By July 2024, the final Regulatory Technical Standards and the Implementing Technical Standards will be published in relation to:

Incident management: reporting content for major ICT-related incidents and conditions under which an entity can delegate, on receipt of approval, reporting obligations to a service provider.
Digital operational resilience: criteria for testing all critical applications at least yearly and requirements concerning the scope of threat-led penetration testing, testing methodology, approach, results, remediation and closure.

Third-party risk management: details on the content for policies in relation to contractual arrangements and the types of information to be included in the register of information.

Helping you prepare for DORA

Our IT risk and Cyber experts can assist you with all aspects of DORA compliance, from current state assessments and gap analysis to implementing processes and controls and achieving compliance. Our dedicated project management experts can also ensure that your plans are clear, concise and tracked to completion.

Readiness assessments

The first step to compliance is a current state assessment and gap analysis. This aims to understand the level of maturity of ICT and cyber risk management and identify gaps in compliance with the regulation. In many cases, organisations will be leveraging—or have implemented—existing frameworks or guidelines such as NIS2 or the EBA’s Guidelines on Operational Resilience and Cross-Industry Guidance on Outsourcing, which provide a starting point for compliance. However, DORA is more prescriptive than the existing operational resilience and cybersecurity guidelines. So, while these will be a useful starting point, they will not guarantee compliance with DORA.

Implementation plans

A detailed implementation plan must be developed once the readiness assessment and gap analysis have been completed. It should provide clear direction on how compliance with DORA can be achieved by January 2025. This plan should be granular, have clear objectives and defined responsibilities, and be time-bound to ensure compliance by January 2025. Given the broad scope and nature of the regulation, the implementation plan will likely consist of changes or enhancements to existing policies, processes and documentation, as well as the development of new ones.

Project implementation

With a potentially wide-ranging plan to implement alongside other projects and business-as-usual activities, having a dedicated and experienced team focused on achieving compliance with DORA would benefit many organisations. Each workstream in the plan should have clearly defined deliverables, action owners and milestones. These should be monitored closely to ensure successful delivery against the project’s timelines. Having worked with organisations of all sizes, we have seen examples of best practices and common pitfalls. As a result, we can bring valuable insights to your organisation with the scope of delivering the plan and achieving compliance.

TLPT Services

Empower your organisation's cyber security readiness with our comprehensive threat-led penetration services aligned with DORA requirements. Our expert team conducts simulated cyber attacks, replicating real-world threats to evaluate your existing security measures. By leveraging our global threat intelligence capabilities we are able to emulate threat actors and ensure that your defences are able to detect and respond to a real life threat. Our cutting-edge tooling, methodologies and specialised expertise ensure that your organisation always stays ahead of evolving cyber threats whilst also complying with regulations such as DORA.

GRC services

Navigate the complexities of cyber governance, risk, and compliance with confidence through our tailored GRC services. We offer comprehensive solutions to establish robust governance structures, implement effective risk management frameworks, and ensure compliance with regulations and standards such as DORA, NIS 2 among others. Our proactive approach enables us to identify, assess, and mitigate risks, tailored to your organisation's unique needs and objectives. With our continuous monitoring and improvement strategies, we help drive sustainable growth while minimising disruptions and regulatory risks to your business.

The most important in 30 seconds

Why is DORA relevant?

DORA will apply to more than 22,000 financial entities and ICT service providers operating within the EU. The regulation will introduce specific and prescriptive requirements for all financial market participants including e.g. banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers.
DORA ensures a consistent provision of services across the entire value chain by introducing an end-to-end holistic framework for effective Risk management, ICT and cyber security operational capabilities, and Third Party management.
DORA’s five key pillars: ICT Risk Management, ICT-related Incident Management; Digital Operational Resilience Testing, ICT Third Party Risk Management, and Information Sharing Arrangements.
The regulation is unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).

When will DORA be enforced?

DORA entered into force on 16 January 2023. With an implementation period of two years, financial entities will be expected to be compliant with the regulation by 17th January 2025.

Draft

On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP).

Reaching an Agreement

Following the publications of the European Parliament and Council's proposals for DORA, the co-legislators held political and technical trilogues throughout H1 2022. The European Council adopted DORA on November 28th, 2022, after the European Parliament voted in favour of the act on November 10th.

Entering into Force

DORA entered into force on 16 January 2023. We expect the first regulatory and implementing technical standards (RTS and ITS) to be developed by the European Supervisory Authorities (ESAs).

RTS & ITS

Multiple regulatory and implementing technical standards are defined and issued by the ESAs. They provide entities with specifications and guidance on how to implement specific DORA requirements.

Enforcement

DORA requirements are enforceable 24 months after entry into force (16th January 2023). Therefore, financial entities will be expected to be compliant with DORA by 17th January 2025.

DORA – Are you ready?

We view DORA simultaneously as a challenge and opportunity for financial entities. The EU-wide uniform requirements of DORA mean that financial entities need to ensure they can manage a consistent maturity level of cyber security and operational resilience across all their EU operations.

With a two-year “getting ready” period, there is a lot that needs to be considered, implemented, and demonstrated. Starting right now, financial institutions will want to conduct comprehensive gap assessments to evaluate their respective maturity vis-à-vis DORA and timely identify any areas that require further investment and prioritisation. This will put your business in a better position to address more complex requirements such as supply risk management, threat intelligence, and advanced security testing, giving you a competitive advantage on the market.

DORA will set the regulatory focus on 5 key pillars

ICT Risk Management
ICT-related Incident Management
Digital Operational Resilience Testing
ICT Third-Party Risk Management
Information Sharing

ICT Risk Management

Financial entities are required to set up a comprehensive ICT risk management framework, including:

set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk,
identify, classify and document critical functions and assets,
continuously monitor all sources of ICT risks in order to set-up protection and prevention measures,
establish prompt detection of anomalous activities,
put in place dedicated and comprehensive business continuity policies and disaster and recovery plans, incl. yearly testing of the plans, covering all supporting functions,
establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents.

ICT-related Incident Management

Financial entities are required to:

develop a streamlined process to log/classify all ICT incidents and determine major incidents according to the criteria detailed in the regulation and further specified by the European Supervisory Authorities (EBA, EIOPA and ESMA),
submit an initial, intermediate and final report on ICT-related incidents,
harmonise the reporting of ICT-related incidents through standard templates as developed by the ESAs.

Digital Operational Resilience Testing

The regulation requires all entities to:

annually perform basic ICT testing of ICT tools and systems,
identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps with the implementation of counteractive measures,
periodically perform advanced Threat-Led Penetration Testing (TLPT) for ICT services which impact critical functions. ICT third-party service providers are required to participate and fully cooperate in the testing activities.

ICT Third-Party Risk Management

Financial entities are required to:

ensure sound monitoring of risks emanating from the reliance on ICT third-party providers,
report their complete register of outsourced activities, incl. intra-group services and any changes to the outsourcing of critical services to ICT third party service providers,
take account of IT concentrating risk and risks arising from sub-outsourcing activities
harmonise key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring,
ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details such as a full-service level description, indication of locations where data is being processed, etc.,
critical ICT third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified ICT risks. Financial entities must consider the ICT third-party risks of their service provider who do not follow the defined recommendation.

Information Sharing

The regulation encourages financial entities to set-up arrangements amongst themselves to exchange cyber threat information and intelligence,
The supervisory authority will provide relevant anonymized information and intelligence on cyber threats to financial entities. Therefore, entities should implement mechanisms to review and take action on the information shared by the authorities.

Related insights

23/01/23

Threat Intelligence

Threat intelligence, also known as cyber threat intelligence, refers to the process of collecting, analysing, and disseminating information about cyber threats and vulnerabilities. It is a proactive approach to security that involves continuously monitoring for threats, analysing the potential impact of those threats,...

02/11/22

DORA: What you should know about the latest changes

Our Cyber Security and Privacy team is continuously following the latest developments on the Digital Operational Resilience Act, or “DORA”. Since its first draft developed by the European Commission in September 2020 - which we covered in a previous article - numerous important changes have been made to the Act’s...

29/09/21

Introducing the Digital Operational Resilience Act

On 24 September 2020, the European Commission published the first draft of the Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP). This package involves a digital finance strategy, legislative proposals on crypto assets, blockchain technology, and digital operational resilience, as...

Digital Operational Resilience Act (DORA)

On 16 January 2023, the Digital Operational Resilience Act (DORA) entered into force

Background

Cybersecurity Regulation

What is digital operational resilience?

ICT risk management

ICT and cyber-related incident management

Digital operational resilience testing

ICT third-party risk management

Critical third-party providers

Information-sharing

Technical standards

Helping you prepare for DORA

Readiness assessments

Implementation plans

Project implementation

TLPT Services

GRC services

The most important in 30 seconds

Why is DORA relevant?

When will DORA be enforced?

Draft

Reaching an Agreement

Entering into Force

RTS & ITS

Enforcement

DORA – Are you ready?

DORA will set the regulatory focus on 5 key pillars

ICT Risk Management

ICT-related Incident Management

Digital Operational Resilience Testing

ICT Third-Party Risk Management

Information Sharing

Related insights

Threat Intelligence

DORA: What you should know about the latest changes

Introducing the Digital Operational Resilience Act

Contact us