Prepare for DORA: what you need to know about the Digital Operational Resilience Act regulation – key points explained
What is DORA?
DORA, the Digital Operational Resilience Act, is a crucial regulation proposed by the European Union (EU) that seeks to standardise operational resilience rules within the financial sector. It goes beyond financial entities and applies to information and communication technology (ICT) service providers. DORA’s main objective is to protect the financial sector during operational disruptions by enforcing regulations related to the prevention, detection, containment, recovery, and repair of ICT-related incidents. By adhering to the requirements of DORA, financial entities can proactively manage risks and strengthen their operational resilience.
One significant change introduced by DORA is that the board of financial institutions is legally responsible for ICT risk. This highlights the importance of proactive measures and the need for organisations to prioritise operational resilience at the highest level.
When does DORA come into effect?
DORA will be applicable from the 17th January, 2025.
Who does DORA apply to?
DORA applies to all financial entities operating within the jurisdiction covered by the regulatory authorities. This includes banks, insurance companies, investment firms, payment service providers, and other entities involved in financial services. Regardless of their size, all financial entities are subject to the provisions of DORA and must comply with the regulatory requirements to ensure operational resilience.
DORA applies to the Information and Communication Technology (ICT) providers that serve them.
What are the five Pillars of DORA regulation?
The Digital Operational Resilience Act (DORA) focuses on five components intended to formalise financial entities’ requirements to create a more durable financial system.
ICT Risk Management:
DORA emphasises the need for a robust risk management framework. All companies must take total responsibility for managing digital risks by implementing a governance and control structure. This framework must have a strategy based on risk tolerance that accounts for the recognition, prevention, and detection of risk and demonstrate the ability to respond to disruption, recover, and learn from incidents.
Reporting for major ICT-related incidents:
DORA promotes sharing threat intelligence and incident data among financial entities and their third-party ICT service providers to enhance resilience. DORA requires companies to use a standard methodology for incident reporting and classification with criteria to determine the duration, impact and criticality of services affected, with significant incidents needing to be reported to regulators promptly. This collaborative approach strengthens the sector’s ability to detect, prevent, and respond to operational disruptions.
Management of third-party supply chain risk
DORA highlights the importance of comprehensive supply chain management. Financial entities must assess the resilience of their third-party ICT service providers and ensure their compliance with DORA requirements. To help avoid systemic economic disruption, companies must monitor risk from technology providers throughout the relationship, using appropriate third-party risk management practices.
Digital operation risk testing:
Companies should run comprehensive scenario testing of security and resilience, with the most important firms needing an independent tester performing advanced large-scale penetration testing every three years on critical functions and ICT providers.
Intelligence sharing for cyber risk/vulnerabilities
The guidelines promote collaboration among financial entities to raise awareness of ICT risks, limit the spread of cybercrime, and support mitigation strategies. By identifying the root causes and lessons learned, companies can implement proactive measures to prevent similar incidents.
How to prepare now for DORA regulation
Prepare now for DORA regulation by following these six steps to comply with DORA requirements:
1. Review the relevant legislation to determine if DORA applies to your organisation.
2. Ensure the board is aware of their duties and obligations.
3. Conduct a GAP analysis to identify areas where the organisation must meet the regulation’s criteria for ICT functions, incident collection, reporting, and testing scenarios.
4. Develop a plan to address and close any identified gaps.
5. Collaborate with stakeholders such as business continuity, operational resilience, and third-party risk management teams to prioritise functions and review the results of a business impact analysis or end-to-end mapping.
6. Implement the steps before entering an ICT third-party agreement and meeting the requirements for exiting contracts.
Stay ahead of the regulatory curve. Contact us now to ensure compliance and resilience with DORA. Discover more about our DORA Assessment Workshop!