What is DORA?
DORA (the Digital Operational Resilience Act) sets out a harmonised approach to digital operational resilience across the EU’s financial sector.
It was published in the Official Journal of the European Union on 27 December 2022 and comprises a regulation and three directives.
The directives amend a number of existing EU directives relating to the financial sector.
The Regulation sets out network and information systems security requirements for organisations in the financial sector and their third-party ICT (information and communication technology) service providers.
Among other obligations, financial entities are required to:
- Implement an internal governance and control framework to manage ICT risk. This must be backed up by an incident management process and testing of ICT technologies; and
- Ensure that contracts with third-party ICT suppliers provide suitable assurance of their information security.
The Regulation also enshrines the principle of proportionality, stating that financial entities should take account of “their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations” when implementing measures to meet their obligations.
The difference between EU directives and regulations and directives
The EU has two types of legal instruments: directives and regulations.
Directives set minimum standards and parameters for the EU, but leave the actual implementation to the member states themselves. When a directive is passed, the EU sets a deadline by which every member state must put the directive into force, whether by law, regulation or other initiative.
Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.
What is the DORA Regulation?
The DORA Regulation (Regulation (EU) 2022/2554 on digital operational resilience for the financial sector) sets out requirements covering three core concepts:
- Risk management
- Financial entities must have a documented ICT risk management framework that “enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience”. This must be backed up by regular testing.
- Incident management
- Financial entities must have “an ICT-related incident management process to detect, manage and notify ICT-related incidents”. They must also establish “appropriate procedures and processes to ensure a consistent and integrated monitoring, handling and follow-up of ICT-related incidents”.
- Supply chain security
- Financial entities must “manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework”. As well as implementing contractual arrangements that cover third-party risk, they must maintain a register of service providers and report on it to the competent authority every year.
It also establishes:
- Requirements in relation to contractual arrangements between financial entities and ICT third-party service providers;
- Rules for an oversight framework for critical ICT third-party service providers when providing services to financial entities; and
- Rules on cooperation among supervisory authorities, and on supervision and enforcement.
Further technical requirements will be set out by the three European supervisory authorities: the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority) and ESMA (European Securities and Markets Authority).
The first batch – a set of four regulatory technical requirements covering Articles 15, 16(3), 18(3), 28(9) and 28(10) – is due to be submitted on 17 January 2024.
The second batch of policy mandates – covering Articles 11(11), 20a, 20b, 26(11), 30(5), 32(7) and 41 – is due to be submitted on 17 June 2024.
Until these technical requirements are published, financial entities should refer to the DORA Regulation itself, which sets out plenty of information about the requirements that they will be expected to meet.
Who does the DORA Regulation apply to?
The DORA Regulation applies to the EU’s financial sector and suppliers of ICT services to that sector – wherever those suppliers are based.
Financial entities covered by the Regulation include:
- Credit institutions;
- Payment institutions;
- Account information service providers;
- Electronic money institutions;
- Investment firms;
- Crypto-asset service providers and issuers of asset-referenced tokens;
- Central securities depositories;
- Central counterparties;
- Trading venues;
- Trade repositories;
- Managers of alternative investment funds;
- Management companies;
- Data reporting service providers;
- Insurance and reinsurance undertakings;
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
- Institutions for occupational retirement provision;
- Credit rating agencies;
- Administrators of critical benchmarks;
- Crowdfunding service providers; and
- Securitisation repositories.
When does the DORA Regulation come into force?
The Regulation entered into force on 16 January 2023 and will apply from 17 January 2025.
Read the full text of the DORA Regulation
How IT Governance can help your DORA compliance
We have more than 20 years’ experience helping organisations meet their IT governance, risk management and compliance objectives.
IT Governance is recognised under the following frameworks:
- CREST certified as ethical security testers.
- Certified under Cyber Essentials Plus, the UK government-backed cyber security certification scheme.
- Certified to ISO 27001:2013, the world’s most recognised information security standard.
We can provide all the cyber security and information security services and resources you need to ensure your organisation follows industry-recognised best practice and can demonstrate its compliance with DORA’s information security risk management and testing requirements.