DORA

What is DORA?

DORA (the Digital Operational Resilience Act) sets out a harmonized approach to digital operational resilience across the EU’s financial sector.

It was published in the Official Journal of the European Union on December 27, 2022 and comprises a regulation and three directives.

The directives amend a number of existing EU directives relating to the financial sector.

The Regulationsets out network and information systems security requirements for organizations in the financial sector and their third-party ICT (information and communication technology) service providers.

Among other obligations, financial entities are required to:

• Implement an internal governance and control framework to manage ICT risk. This must be backed up by an incident management process and testing of ICT technologies.
• Ensure that contracts with third-party ICT suppliers provide suitable assurance of their information security.

The Regulation also enshrines the principle of proportionality, stating that financial entities should take account of “their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations” when implementing measures to meet their obligations.

The difference between EU directives and regulations

The EU has two types of legal instruments: directives and regulations.

Directives set minimum standards and parameters for the EU, but leave the actual implementation to the member states themselves. When a directive is passed, the EU sets a deadline by which every member state must put the directive into force, whether by law, regulation, or other initiative.

Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.

What is the DORA Regulation?

The DORA Regulation (Regulation (EU) 2022/2554 on digital operational resilience for the financial sector) sets out requirements covering:

• ICT risk management
• Incident reporting
• Digital operational resilience testing
• Information sharing
• Third-party risk management

It also establishes:

• Requirements in relation to contractual arrangements between financial entities and ICT third-party service providers
• Rules for an oversight framework for critical ICT third-party service providers when providing services to financial entities
• Rules on cooperation among supervisory authorities, and on supervision and enforcement

Further technical requirements will be set out by the three European supervisory authorities: the EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority), and ESMA (European Securities and Markets Authority).

Until these technical requirements are published, financial entities should refer to the DORA Regulation itself, which sets out plenty of information about the requirements that they will be expected to meet.

Who does the DORA Regulation apply to?

The DORA Regulation applies to the EU’s financial sector and suppliers of ICT services to that sector – wherever those suppliers are based.

Financial entities covered by the Regulation include:

• Credit institutions
• Payment institutions
• Account information service providers
• Electronic money institutions
• Investment firms
• Crypto-asset service providers and issuers of asset-referenced tokens
• Central securities depositories
• Central counterparties
• Trading venues
• Trade repositories
• Managers of alternative investment funds
• Management companies
• Data reporting service providers
• Insurance and reinsurance undertakings
• Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
• Institutions for occupational retirement provision
• Credit rating agencies
• Administrators of critical benchmarks
• Crowdfunding service providers
• Securitization repositories

When does the DORA Regulation come into force?

The Regulation entered into force on January 16, 2023 and will apply from January 17, 2025.

  Read the full text of the DORA Regulation

How IT Governance USA can help your DORA compliance

We have more than 15 years’ experience helping organizations meet their IT governance, risk management, and compliance objectives.

IT Governance is recognized under the following frameworks:

• CREST certified as ethical security testers
• Certified under Cyber Essentials Plus, the UK government-backed cybersecurity certification scheme
• Certified to ISO 27001:2013, the world’s most recognized information security standard

We can provide all the cybersecurity and information security services and resources you need to ensure your organization follows industry-recognized best practice and can demonstrate its compliance with DORA’s information security risk management and testing requirements.