What is the Digital Operational Resilience Act (DORA)?
Share this article:
What is DORA?
The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation enacted by the European Council to set technical standards for financial institutions and ICT service providers, enhancing their cybersecurity and operational resilience.
DORA has two primary goals:
- to thoroughly tackle ICT risk management within the financial services sector; and
- to unify the ICT risk management regulations currently in place across individual EU member states.
Why is DORA needed?
The financial sector’s reliance on technology and tech companies for delivering services is growing, making it susceptible to cyber-attacks and incidents. Poorly managed ICT risks can disrupt cross-border financial services, impacting other businesses, sectors, and the broader economy. This highlights the critical need for digital operational resilience in the financial sector, which is where DORA becomes essential.
What is the timeline of DORA?
On 24 September 2020, the European Commission published the draft of DORA. Two years later, on 10 November 2022, the European Parliament voted in favour of it and on 28 November, the European Council adopted it. Shortly afterwards, on 16 January 2023, DORA entered into force and with that, the countdown of the 2-year implementation period started.
As of 17 January 2025, DORA will be applicable to the entities falling under its scope, which means they must comply with the requirements of the act.
To facilitate compliance with DORA, on 17 January 2024, European Supervisory Authorities (ESAs) issued the first batch of rules under DORA — regulatory technical standards (RTS) and implementing technical standards (ITS):
- Regulatory Technical Standards (RTS) on ICT risk management framework and on simplified ICT risk management framework;
- RTS on criteria for the classification of ICT-related incidents;
- RTS to specify the policy on ICT services supporting critical or important functions provided by ICT third-party service providers (TPPs); and
- Implementing Technical Standards (ITS) to establish the templates for the register of information.
On 17 July 2024, ESAs issued the final draft technical standards:
- Regulatory Technical Standards (RTS) and ITS (Implementing Technical Standards) on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats;
- Regulatory Technical Standards (RTS) on the harmonization of conditions enabling the conduct of the oversight activities;
- Regulatory Technical Standards (RTS) specifying the criteria for determining the composition of the joint examination team (JET); and
- Regulatory Technical Standards (RTS) on threat-led penetration testing (TLPT).
- Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents; and
- Guidelines on oversight cooperation.
The guidelines have been approved by the Boards of Supervisors of the three ESAs. The final draft technical standards have been sent to the European Commission, which will now begin their review with the goal of adopting these policy products in the coming months. The remaining RTS on Subcontracting will be released soon.
Who must comply with DORA?
DORA applies to all financial institutions within the EU, encompassing both traditional entities like banks, investment firms, and credit institutions, as well as non-traditional entities such as crypto-asset service providers and crowdfunding platforms. The full list of entities to which DORA applies is set out in Article 2, which states the following:
- credit institutions;
- payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
- account information service providers;
- electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
- investment firms;
- crypto-asset service providers as authorised under a Regulation of the European Parliament and of the Council on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (“the Regulation on markets in crypto-assets”) and issuers of asset-referenced tokens;
- insurance and reinsurance undertakings;
- central securities depositories;
- central counterparties;
- trading venues;
- trade repositories;
- managers of alternative investment funds;
- management companies;
- data reporting service providers;
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
- institutions for occupational retirement provision;
- credit rating agencies;
- administrators of critical benchmarks;
- crowdfunding service providers;
- securitisation repositories;
- ICT third-party service providers.
As can be seen, DORA extends to certain entities usually exempt from financial regulations. For instance, ICT third-party service providers.
What are the pillars of DORA and in short, what does each one require?
The requirements of DORA are organized in the following five pillars:
- ICT Risk Management, which, among others:
- requires financial entities to have in place an internal governance and control, and ICT risk management frameworks;
- sets out the responsibilities of the management body, including obligation to be regularly trained on ICT risk-related matters;
- calls for establishment or assignment of a role for monitoring the arrangements made with ICT third-party service providers on the use of ICT services;
- covers matters related to:
- use, maintenance, monitoring and control of ICT systems, protocols and tools;
- identification, classification and adequate documentation of all ICT supported business functions as well as:
- the roles and responsibilities within those functions;
- the information assets and ICT assets supporting those functions; and
- their roles and dependencies in relation to ICT risk;
- requires financial entities to have in place:
- mechanisms for prompt detection of anomalous activities;
- a comprehensive ICT business continuity policy, backup policies and procedures, restoration and recovery procedures and methods;
- capabilities and staff to gather information on vulnerabilities and cyber threats, ICT-related incidents, and analyse their likely impact on digital operational resilience
- crisis communication plans
- ICT-related incident management, classification and reporting, which, among others:
- requires financial entities to define, establish and implement an ICT-related incident management process and requirements;
- sets out the criteria for classification of ICT-related incidents and cyber threats and covers matters related to:
- reporting major ICT-related incidents and voluntary notification of significant cyber threats;
- harmonisation of reporting content and templates;
- centralisation of reporting of major ICT-related incidents; and
- supervisory feedback
- Digital operational resilience testing, which, among others, covers:
- general requirements for the performance of digital operational resilience testing;
- testing of ICT tools and systems;
- advanced testing of ICT tools, systems and processes based on threat-led penetration testing (TLPT); and
- requirements for testers for the carrying out of TLPT.
- Managing of ICT third-party risk, which, among others, covers:
- key principles for a sound management of ICT third-party risk;
- preliminary assessment of ICT concentration risk at entity level; and
- key contractual provisions to be set out in writing to determine the rights and obligations of the financial entity and of the ICT third-party service provider.
- Information-sharing arrangements, which, among others, cover:
- information-sharing arrangements on cyber threat information and intelligence;
- confidentiality requirements; and
- the need for notifying the competent authorities.
How can HackEthic help?
As can be seen, DORA requirements are extensive, complex and far-reaching. HackEthic’s team of seasoned professionals are well-equipped to assist you with:
- Correctly interpreting DORA requirements by:
- providing detailed analyses and explanations of the articles;
- breaking down complex legal language into clear, actionable insights;
- providing examples that illustrate how these articles apply to your organization’s specific context;
- organizing workshops and consultations with legal and compliance experts to ensure thorough understanding and accurate interpretation.
- Performing a DORA gap analysis by:
- comparing the present state of your organizations performance or processes against a desired future state;
- identifying areas where improvements are needed.
- Creating a remediation roadmap by:
- developing a structured plan to address identified gaps or deficiencies within you organization;
- outlining the necessary actions, timelines, and resources required to rectify issues and achieve desired improvements.
- Assessing ICT third-party service provider risks by:
- identifying the relevant ICT third-party service providers and prioritizing them by criticality;
- sending out the questionnaires to assess ICT third-party service providers’ security practices, identify and evaluate risks;
- supporting your organization with signing information security and cybersecurity terms and conditions with ICT third-party service providers.
Did not find what you were looking for?
This list of services is not exhaustive. Please reach out directly.
The HackEthic team strongly urges those obliged to comply with PCI DSS Version 4.0.1 to swiftly meet the outlined requirements. To this end, the team also stands ready to offer assistance.
About Us
Protecting your business with offensive cybersecurity expertise – we are committed to keeping you safe.
Quick Links
Get In touch
- Tbilisi, Georgia
- (+995) 592466646
- info@hackethic.com