Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (Regulation EU 2022/2554; “DORA“) regulates the resilience of traditional and non-traditional financial entities, such as banks, insurance companies, investment firms, and crypto-asset service providers. DORA also applies to certain entities typically not covered by financial regulations, such as third-party service providers supplying ICT systems to financial entities.
DORA standardizes the digital operational resilience rules among the different operators in the financial sector and reduces rule fragmentation. The Act includes detailed rules for ICT risk management, handling and reporting of ICT related incidents, digital operational resilience testing, management of ICT third-party risk, and information sharing between entities in relation to cyber threats and vulnerabilities.
What does this mean?
- Financial entities must adopt internal governance and ICT risk management frameworks to ensure holistic, prudent, and well-documented management of ICT risks. Within these frameworks, the financial entities need to identify and classify ICT supported business functions, roles and responsibilities, and ICT assets supporting those functions. The financial entities shall also have comprehensive ICT business continuity policy, backup policies and procedures, as well as restoration and recovery procedures and methods.
- The ICT systems used by the financial entities need to be appropriate and reliable and the entities must adequately protect the ICT systems by deploying security tools, policies and procedures. Financial entities shall promptly detect all anomalies within their ICT systems, and have robust incident management, classification and reporting processes. All major ICT-related incidents must be reported to the competent authority.
- The financial entities must regularly test the ICT systems and applications they use to assess their digital operational resilience against incidents.
- In addition, the DORA includes rules and requirements for managing ICT third-party risk through setting general principles for the use of third-party systems and assessing their risk levels. The Act also sets forth key contractual provisions to be included in an agreement between a financial entity and a third-party service provider to properly allocate the rights and obligations of the parties.
- DORA encourages sharing of information between financial entities on threat and vulnerability intelligence to enhance the entities’ cybersecurity threat prevention and response capabilities. However, such information sharing is not mandatory.
- The requirements of the Act will be enforced proportionately, meaning that smaller financial entities, such as microenterprises, can apply the requirements in a less stringent and more flexible manner, considering their size and overall risk profile, and the nature, scale, and complexity of their services, activities, and operations.
- DORA is sector-specific legislation in relation to the NIS II Directive and the CER Directive, meaning that Member States should not apply the provisions of the Directives on supervision and enforcement to financial entities covered by DORA.
Who?
- Businesses operating in the financial sector must consider the requirements of the DORA, assess their effects, and implement the relevant requirements into their operations.
Consequences
- Competent authorities in each Member State will have supervisory, investigatory and sanctioning powers.
- Non-compliance with the Act may lead to sanctions, such as an order to comply, a public notice, remedial measures, or administrative penalties.
Timeline
- The Act entered into force on 16 January 2023 and will apply as of 17 January 2025.