The Rise of Operational Resilience regulations across the UK, Europe and North Americas shows the increasing importance of being ready to face disruptions and to continue servicing your customers and markets.

The Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation designed to strengthen the digital operational resilience of financial entities and their ICT (Information and Communication Technology) third-party service providers. It was published in the Official Journal of the EU on December 27, 2022, and has been in force since January 17, 2025.

Key Objectives of DORA:

  • Enhance Digital Resilience: To ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats.
  • Harmonize Regulatory Frameworks: To create a consistent set of rules across the EU for managing digital operational resilience, reducing complexities arising from different national regulations.
  • Protect the Financial System: To prevent ICT incidents from destabilizing the financial system and ensure the continuity of critical financial services.

Scope of DORA:

DORA applies to a wide range of financial entities operating within the EU, as well as their ICT service providers, regardless of where the providers are based. This includes:

  • Credit institutions
  • Payment institutions
  • Account information service providers
  • Electronic money institutions
  • Investment firms
  • Insurance and reinsurance undertakings
  • Crypto-asset service providers
  • And many other types of financial entities.

The Five Pillars of DORA:

DORA establishes a comprehensive framework based on five key pillars:

  1. ICT Risk Management: Financial entities must establish, maintain, and regularly update a sound and comprehensive ICT risk management framework. This includes strategies, policies, procedures, protocols, and tools to adequately address ICT risk. It emphasizes governance and the responsibility of the management body in defining and overseeing the implementation of this framework.
  2. ICT-Related Incident Management, Classification, and Reporting: Entities need to have processes in place to monitor, handle, classify, and report ICT-related incidents. Major incidents must be reported to the relevant competent authorities, with specific requirements for the content and timelines of these reports. There is also a provision for the voluntary notification of significant cyber threats.
  3. Digital Operational Resilience Testing: Financial entities are required to regularly test the effectiveness of their ICT risk management framework. This includes a range of tests, from basic vulnerability assessments to advanced threat-led penetration testing (TLPT) for critical entities, conducted at least every three years.
  4. ICT Third-Party Risk Management: DORA mandates that financial entities manage the risks arising from their reliance on ICT third-party service providers. This includes conducting due diligence, establishing contractual arrangements with key provisions, and monitoring the performance and security practices of these providers. A specific oversight framework is established for critical ICT third-party providers at the EU level.
  5. Information Sharing Arrangements: The regulation encourages financial entities to participate in voluntary information-sharing arrangements regarding cyber threats and vulnerabilities to enhance collective cyber resilience. Such sharing must occur in a trustworthy and secure manner, respecting data protection rules.

Compliance with DORA requires the following key actions:

  1. Establishing a Governance Framework: Appointing responsible individuals and creating a clear strategy for DORA compliance.
  2. Conducting a Gap Analysis: Identifying areas where current practices do not meet DORA requirements.
  3. Enhancing Risk Management Practices: Developing and implementing comprehensive ICT risk management policies and procedures.
  4. Strengthening Incident Reporting and Response: Establishing clear protocols for reporting and managing ICT incidents.
  5. Conducting Digital Operational Resilience Testing: Implementing a testing program that includes regular and advanced testing.
  6. Enhancing Third-Party Risk Management: Assessing and managing risks associated with ICT third-party providers.
  7. Fostering Information Sharing and Cooperation: Participating in relevant information-sharing initiatives.