The Digital Operational Resilience Act, or DORA, is a European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector.
DORA establishes technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by 17 January 2025.
Learn how to apply data governance and privacy at scale with organization-wide standards and data lineage capabilities.
Transform your talent with our guide
DORA has two main objectives: to comprehensively address ICT risk management in the financial services sector and to harmonize the ICT risk management regulations that already exist in individual EU member states.
Before DORA, risk management regulations for financial institutions in the EU primarily focused on ensuring that firms had enough capital to cover operational risks. While some EU regulators released guidelines on ICT and security risk management (link resides outside ibm.com), these guidelines didn't apply to all financial entities equally, and they often relied on general principles rather than specific technical standards. In the absence of EU-level ICT risk management rules, EU member states issued their own requirements. This patchwork of regulations has proven difficult for financial entities to navigate.
With DORA, the EU aims to establish a universal framework for managing and mitigating ICT risk in the financial sector. By harmonizing risk management rules across the EU, DORA seeks to remove the gaps, overlaps and conflicts that could arise between disparate regulations in different EU states. A shared set of rules can make it easier for financial entities to comply while improving the entire EU financial system's resilience by ensuring that every institution is held to the same standard.
DORA applies to all financial institutions in the EU. That includes traditional financial entities, such as banks, investment firms and credit institutions, and non-traditional entities, including crypto-asset service providers and crowdfunding platforms.
Notably, DORA also applies to some entities typically excluded from financial regulations. For example, third-party service providers that supply financial firms with ICT systems and services—like cloud service providers and data centers—must follow DORA requirements. DORA also covers firms that provide critical third-party information services, such as credit rating services and data analytics providers.
DORA was first proposed by the European Commission—the executive branch of the EU responsible for introducing legislation—in September 2020. It's part of a larger digital financial package that also includes initiatives for regulating crypto-assets and enhancing the EU's overall digital finance strategy. The Council of the European Union and the European Parliament (the legislative bodies responsible for approving EU laws) formally adopted the DORA in November 2022. Financial entities and third-party ICT service providers have until 17 January 2025 to comply with DORA before enforcement starts.
While the EU has officially adopted DORA, key details are still being ironed out by the European Supervisory Authorities (ESAs). The ESAs are the regulators that oversee the EU financial system, including The European Banking Authority (EBA), the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority.
The ESAs are in charge of drafting the regulatory technical standards (RTS) and implementing technical standards (ITS) that covered entities must implement. These standards are expected to be finalized in 2024. The European Commission is developing an oversight framework for critical ICT providers, which is also expected to be finalized in 2024.
Once the standards are finalized and the January 2025 deadline has arrived, enforcement will fall to designated regulators in each EU member state, known as "competent authorities." The competent authorities can request that financial entities take specific security measures and remediate vulnerabilities. They'll also be able to impose administrative—and, in some cases, criminal—penalties on entities that fail to comply. Each member state will decide on its own penalties.
ICT providers deemed "critical" by the European Commission will be directly supervised by lead overseers from the ESAs. Like competent authorities, lead overseers can request security measures and remediation and penalize noncompliant ICT providers. DORA allows lead overseers to levy fines on ICT providers amounting to 1% of the provider's average daily worldwide turnover in the previous business year. Providers can be fined every day for up to six months until they achieve compliance.
DORA establishes technical requirements for financial entities and ICT providers across four domains:
- ICT risk management and governance
- Incident response and reporting
- Digital operational resilience testing
- Third-party risk management
Information sharing is encouraged but not required.
Requirements will be enforced proportionately, which means smaller entities will not be held to the same standards as major financial institutions. While the RTSs and ITSs for each domain are still under development, the existing DORA legislation offers some insight into the general requirements.
ICT risk management and governance
The DORA makes an entity's management body responsible for ICT management. Board members, executive leaders and other senior managers are expected to define appropriate risk management strategies, actively assist in executing them, and stay current on their knowledge of the ICT risk landscape. Leaders can also be held personally accountable for an entity's failure to comply.
Covered entities are expected to develop comprehensive ICT risk management frameworks. Entities must map their ICT systems, identify and classify critical assets and functions, and document dependencies between assets, systems, processes and providers. Entities must conduct continuous risk assessments on their ICT systems, document and classify cyberthreats, and document their steps to mitigate identified risks.
As part of the risk assessment process, entities must conduct business impact analyses to assess how specific scenarios and severe disruptions might affect the business. Entities should use the results of these analyses to set levels of risk tolerance and inform the design of their ICT infrastructure. Entities will also be required to implement suitable cybersecurity protection measures, such as policies for identity and access management and patch management, along with technical controls such as extended detection and response systems, security information and event management (SIEM) software, and security orchestration, automation and response (SOAR) tools.
Entities will also need to establish business continuity and disaster recovery plans for various cyber risk scenarios, such as ICT service failures, natural disasters and cyberattacks. These plans must include data backup and recovery measures, system restoration processes and plans for communicating with affected clients, partners and the authorities.
RTSs specifying the required elements of an entity's risk management framework are forthcoming. Experts believe they will be similar to the existing EBA guidelines on ICT and security risk management.
Incident response and reporting
Covered entities must establish systems for monitoring, managing, logging, classifying and reporting ICT-related incidents. Depending on the severity of the incident, entities may need to make reports to both regulators and affected clients and partners. Entities will be required to file three different kinds of reports for critical incidents: an initial report notifying authorities, an intermediate report on progress toward resolving the incident, and a final report analyzing the root causes of the incident.
The rules on how incidents should be classified, which incidents must be reported, and timelines for reporting are forthcoming. ESAs are also exploring ways to streamline reporting by establishing a central hub and common report templates.
Digital operational resilience testing
Entities must test their ICT systems regularly to evaluate the strength of their protections and identify vulnerabilities. The results of these tests, and plans for addressing any weaknesses they find, will be reported to and validated by the relevant competent authorities.
Entities must carry out basic tests, like vulnerability assessments and scenario-based testing, once a year. Financial entities judged to play a critical role in the financial system will also need to undergo threat-led penetration testing (TLPT) every three years. The entity's critical ICT providers will be required to participate in these penetration tests as well. Technical standards on how TLPTs should be carried out are forthcoming, but they're likely to align with the TIBER-EU framework (link resides outside ibm.com) for threat intelligence-based ethical red-teaming.
Third-party risk management
One unique aspect of DORA is that it applies not only to financial entities but also to the ICT providers that service the financial sector.
Financial firms are expected to take an active role in managing ICT third-party risk. When outsourcing critical and important functions, financial entities must negotiate specific contractual arrangements regarding exit strategies, audits and performance targets for accessibility, integrity and security, among other things. Entities will not be allowed to contract with ICT providers who cannot meet these requirements. The competent authorities are empowered to suspend or terminate contracts that don't comply. The European Commission is exploring the possibility of drafting standardized contractual clauses that entities and ICT providers can use to ensure their agreements comply with DORA.
Financial institutions will also need to map their third-party ICT dependencies, and they'll be required to ensure their critical and important functions are not too heavily concentrated with a single provider or small group of providers.
Critical ICT third-party service providers will be subject to direct oversight from relevant ESAs. The European Commission is still developing the criteria for determining which providers are critical. Those that meet the standards will have one of the ESAs assigned as a lead overseer. In addition to enforcing DORA requirements on critical providers, lead overseers will be empowered to forbid providers from entering into contracts with financial firms or other ICT providers that don't comply with the DORA.
Information sharing
Financial entities must establish processes for learning from both internal and external ICT-related incidents. Toward that end, the DORA encourages entities to participate in voluntary threat intelligence sharing arrangements. Any information shared this way must still be protected under the relevant guidelines—for instance, personally identifiable information is still subject to General Data Protection Regulation considerations.
Harness the full power of your IT infrastructure. The latest generation of IBM servers, storage and software can help you modernize and scale on premises and in the cloud with secure hybrid cloud and trusted AI automation and insights.
Discover how high-impact AI automations can help make your IT systems more proactive, processes more efficient and people more productive.
Speed up innovation while addressing your security and compliance needs. IBM Cloud for Financial Services is designed to help clients mitigate risk and accelerate cloud adoption for their most sensitive workloads.
DORA recognizes the evolving nature of risk and resilience in the increasingly digitalized landscape of EU financial services.
Like any endeavor designed to deliver transformative change at pace and scale, implementing DORA will require consistent focus and engagement, particularly at the board and executive levels.
Chief supply chain officers who are looking to the future can distinguish themselves from peers who are only focused on the present.