What is DORA?
DORA (the Digital Operational Resilience Act) sets out a harmonised approach to digital operational resilience across the EU’s financial sector.
It was published in the Official Journal of the European Union on 27 December 2022 and comprises a regulation and three directives.
The directives amend a number of existing EU directives relating to the financial sector.
The Regulation sets out network and information systems security requirements for organisations in the financial sector and their third-party ICT (information and communication technology) service providers.
Among other obligations, financial entities are required to:
- Implement an internal governance and control framework to manage ICT risk. This must be backed up by an incident management process and testing of ICT technologies; and
- Ensure that contracts with third-party ICT suppliers provide suitable assurance of their information security.
The Regulation also enshrines the principle of proportionality, stating that financial entities should take account of “their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations” when implementing measures to meet their obligations.
The difference between EU directives and regulations and directives
The EU has two types of legal instruments: directives and regulations.
Directives set minimum standards and parameters for the EU, but leave the actual
implementation to the member states themselves. When a directive is passed, the EU sets a deadline by which every member state must put the directive into force, whether by law, regulation or other initiative.
Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.
What is the DORA Regulation?
The DORA Regulation (Regulation (EU) 2022/2554 on digital operational resilience for the financial sector) sets out requirements covering:
- ICT risk management
- Incident reporting
- Digital operational resilience testing
- Information sharing
- Third-party risk management
It also establishes:
- Requirements in relation to contractual arrangements between financial entities and ICT third-party service providers;
- Rules for an oversight framework for critical ICT third-party service providers when providing services to financial entities; and
- Rules on cooperation among supervisory authorities, and on supervision and enforcement.
Further technical requirements will be set out by the three European supervisory authorities: the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority) and ESMA (European Securities and Markets Authority).
Until these technical requirements are published, financial entities should refer to the DORA Regulation itself, which sets out plenty of information about the requirements that they will be expected to meet.
Who does the DORA Regulation apply to?
The DORA Regulation applies to the EU’s financial sector and suppliers of ICT services to that sector – wherever those suppliers are based.
Financial entities covered by the Regulation include:
- Credit institutions;
- Payment institutions;
- Account information service providers;
- Electronic money institutions;
- Investment firms;
- Crypto-asset service providers and issuers of asset-referenced tokens;
- Central securities depositories;
- Central counterparties;
- Trading venues;
- Trade repositories;
- Managers of alternative investment funds;
- Management companies;
- Data reporting service providers;
- Insurance and reinsurance undertakings;
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
- Institutions for occupational retirement provision;
- Credit rating agencies;
- Administrators of critical benchmarks;
- Crowdfunding service providers; and
- Securitisation repositories.
When does the DORA Regulation come into force?
The Regulation entered into force on 16 January 2023 and will apply from 17 January 2025.
Read the full text of the DORA Regulation
How IT Governance can help your DORA compliance
We have more than 15 years’ experience helping organisations meet their IT governance, risk management and compliance objectives.
IT Governance is recognised under the following frameworks:
- CREST certified as ethical security testers.
- Certified under Cyber Essentials Plus, the UK government-backed cyber security certification scheme.
- Certified to ISO 27001:2013, the world’s most recognised information security standard.
We can provide all the cyber security and information security services and resources you need to ensure your organisation follows industry-recognised best practice and can demonstrate its compliance with DORA’s information security risk management and testing requirements.