Digital Operational Resilience Act (DORA)

Published: June 27, 2024

DORA (Digital Operational Resilience Act) delivers clear, uniform requirements for digital operational risk and ICT risks across the EU in a single legislative act, with the aim of strengthening cybersecurity and operational resilience across the financial sector. DORA creates a regulatory framework on digital operational resilience whereby all financial entities must ensure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

DORA introduces specific rules on:

Information and Communication Technology (ICT) risk management
ICT-related incident management, classification, and reporting
Digital operational resilience testing
Management of ICT third-party risk

Affected financial institutions must comply with DORA requirements by 17th January 2025.  Many impacted firms are still in the early stages of preparing for DORA but as the deadline nears it is time to give it the focus it needs.

The 5 key requirements of DORA are:

1. ICT Risk Management

As part of a firm’s overall risk management system, a comprehensive, well-documented ICT risk management framework is mandated under DORA. Management bodies are responsible for defining, approving, and overseeing the implementation of all arrangements related to the framework. Boards should review and develop the firms Operational Resilience Framework, ensuring it is well designed, operating effectively, robust, and aligned to the firm’s overall Governance and Risk Management Frameworks.

2. Incident Reporting

Under DORA, financial entities are required to define, establish, and implement ICT-related incident management processes to detect, manage and notify incidents. All major incidents must be reported to the Competent Authority. Financial entities are obligated to record all incidents and significant cyber threats and establish appropriate procedures/processes to ensure consistent and integrated monitoring, handling, and follow-up of ICT-related incidents to identify root causes, document, and prevent reoccurrences.

3. Digital Operational Resilience Testing

DORA requires financial entities to perform digital operational resilience testing at least yearly; for ‘significant’ financial entities, advanced threat-led penetration testing must be conducted as least every 3 years.

4. ICT Third-Party Risk

Financial entities are required to routinely monitor the ability of third-party service providers to securely provide services without impacting the firm’s overall operational resilience. Entities must adopt a policy on the use of third-party ICT services concerning critical or important functions and are required to create and maintain a register of all ICT-related contractual arrangements.

5. Information Sharing

Financial entities may exchange cyber threat information and intelligence with the aim of enhancing the digital operational resilience through awareness in relation to cyber threats.

Key Challenges

There may be several challenges faced by financial institutions while complying with DORA requirements:

The Size and Complexity of the Digital Landscape: Financial institutions will have large numbers of systems (internal, external, and legacy systems) interacting with each other, delivering different services, running on different technologies and platforms. Ensuring operational resilience across all these systems will require seamless coordination and comprehensive risk management frameworks.

Third Parties: Today, many financial institutions use third-party providers to host critical services. Understanding and attesting to the operational resilience of these external providers might prove challenging as firms may find it difficult to get clear answers and will have less control over these external processes and procedures.‍

Continuously Evolving Threats: Organisations must stay abreast of new cyber security threats and risks through continuous monitoring, and ensure strategies/processes are kept updated to mitigate these evolving threats.

Resourcing: Financial institutions may not have the resources to meet all the DORA requirements such as mapping of services, running a gap analysis etc. while simultaneously working to meet requirements of other regulations e.g. NIS2.

Are there penalties?

Institutions could be fined up to 2% of their total annual worldwide turnover or up to 1% of the company’s average daily turnover worldwide. Personal fines for employees of up to €1 million will also apply, as well as fines for critical third parties of up to €500,000.

How We Can Assist:

First Derivatives specialises in financial regulations, providing gap assessments and remediation solutions for clients, cyber security, technology architecture, and operational resilience testing. If you are not on track to meeting target dates or would like any external help, please contact First Derivatives to find out how we can help you achieve DORA compliance.