Hello, welcome to our deep dive into the Digital Operational Resilience Act (DORA), a pivotal regulatory framework reshaping cybersecurity and operational resilience in the European financial sector. To make this complex topic as accessible and actionable as possible, we’ve structured this blog post in a Q&A format.
The post is divided into two parts. The first part focuses on DORA’s purpose, scope, and enforcement, giving the necessary background information about the regulation. The second part takes a more technical approach, diving into the specific requirements and actions financial entities need to take to comply with DORA.
Whether you’re a cybersecurity professional, compliance officer, or simply keen to understand how DORA impacts financial entities, this guide will address your burning questions. Let’s demystify what DORA means for your organisation—and how to turn compliance regulations into a strategic advantage.
Introduction to DORA and its Core Provisions
This part covers the foundational aspects of DORA, including its definition, its scope, and the entities it applies to.
It explains the timeline for implementation and provides a clear understanding of how DORA affects organizations. Additionally, it outlines the key provisions, enforcement mechanisms, and consequences for non-compliance, providing a high-level overview of the regulatory framework.
This section will help you understand the “what” and “how” of DORA and its implications for your organisation.
What DORA is and how does it work?
DORA (Regulation (EU) 2022/2554) is designed to enhance the digital resilience of the financial sector, addressing the growing dependence on ICT services and managing the increasing risks arising from digitalisation and interconnectedness.
It provides comprehensive rules for financial entities to manage ICT risks, focusing on ICT third-party service providers to ensure operational stability and security across the EU’s financial markets.
The Regulation harmonizes ICT risk management, incident reporting, and resilience testing, creating a unified framework to mitigate systemic risks from critical ICT providers.
What entities does DORA apply to?
DORA applies to a wide range -20 different types- of financial entities, including credit institutions, payment institutions, investment firms, crypto-asset service providers, and insurance companies, as well as ICT third-party service providers supporting these entities.
Entities exempted by specific EU laws, such as certain micro-enterprises or small insurance intermediaries, are not covered. Member States can exclude specific entities within their territories but they must inform the Commission, which will publicly disclose this information.
What is the timeline for implementing DORA?
Member States must notify relevant laws to the Commission and other authorities by January 2025 and update them on any amendments. Financial entities should be fully compliant by that time.
The Commission will review the regulation by 2028, consulting with the European Supervisory Authorities (ESAs) and the European Systemic Risk Board (ESRB). The review will assess critical ICT service provider designation, cyber threat notifications, oversight effectiveness for third-country providers, and the regulation’s scope. The Commission will also evaluate the need for increased cyber resilience in payment systems and digital resilience for auditors.
The Commission is empowered to adopt delegated acts under Articles 31(6) and 43(2) for five years starting from January 2024. The delegation can be extended automatically for subsequent five-year periods unless opposed by the European Parliament or Council. The delegation can also be revoked at any time.
How does DORA affect my company/organisation?
If your company is a financial entity covered by DORA, you’ll need to ensure that your ICT systems are resilient, secure, and compliant with the requirements for incident detection, management, reporting, and follow-up, risk management, and resilience testing.
This may involve updating your risk management frameworks, ensuring that third-party contracts meet the required standards, and implementing procedures for business continuity, incident detection, and crisis communication. Major incidents must be reported to senior management, and actions should mitigate impacts and restore services securely.
What are the key provisions of DORA?
This Regulation fills gaps in previous legislation, providing a more coordinated and efficient approach to digital operational resilience, ultimately strengthening the EU’s financial stability and cybersecurity posture.
Its key provisions include:
- Robust ICT risk management practices, including the reporting of major ICT-related incidents and significant cyber threats, as well as sharing of cyber threat intelligence.
- Effective incident management, classification and reporting protocols.
- Regular digital operational resilience testing to ensure systems remain secure under stress.
- Management of ICT third-party risks through clear contractual arrangements.
- An oversight framework for critical ICT third-party service providers and cooperation among competent authorities for supervision and enforcement.
How is DORA monitored and enforced?
DORA establishes a centralised Oversight Framework to ensure critical ICT providers are monitored, with clear guidelines on compliance, incident response, and penalties for non-cooperation. The Regulation also creates a strong governance structure, including a Lead Overseer and coordination among the ESAs. It promotes international cooperation to align with global best practices.
DORA ensures that various competent authorities are responsible for enforcing compliance across sectors, which will cooperate with the ESAs and Lead Overseer, sharing information about risks and actions related to critical ICT providers. The ESAs, in collaboration with ENISA, will develop regulatory standards to clarify ICT security, access management, incident detection, and recovery requirements. These standards will be tailored to the size, risk profile, and complexity of financial entities. Additional standards will be issued to guide smaller entities in meeting these requirements.
Competent authorities are granted supervisory, investigatory, and sanctioning powers, including inspections, corrective actions, and administrative penalties. Penalties must be effective and proportional and subject to appeal. Authorities can impose criminal penalties and ensure cooperation with judicial authorities. Information about penalties must be published, with discretion if publishing could harm financial markets or breach data protection.
What are the consequences for non-compliance with DORA?
DORA provides competent authorities with the power to impose administrative penalties for non-compliance. These can include corrective actions, fines, and even the cessation of non-compliant activities. The penalties must be effective, proportional, and dissuasive, and decisions can be appealed. In cases of serious breaches, criminal penalties may apply. Investigations, including onsite inspections, can be conducted. Standards for required information from ICT providers and oversight team structures should be established.
How does DORA interact with other regulations?
DORA complements other regulations, such as NIS 2 (Network and Information Security Directive) and MiCA (Markets in Crypto-Assets Regulation). While DORA specifically focuses on the resilience of financial entities and their third-party providers, NIS 2 addresses broader cybersecurity issues across various sectors, and MiCA focuses on regulating crypto-assets. Together, these regulations provide a unified approach to digital resilience and cybersecurity across different industries.
Personal data processed under this regulation must comply with data protection laws and be retained for up to 15 years, unless required for legal proceedings.
Outro
This concludes the first part of this two-part blog post. While the first part was mostly legal focused, the upcoming second part will turn its attention to the more technical aspect of this regulation.
Thank you for taking the time.
Until next time.
References
https://eur-lex.europa.eu/eli/reg/2022/2554/oj
https://www.digital-operational-resilience-act.com/
https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
https://www.regulation-dora.eu/
https://www.enisa.europa.eu/topics/cybersecurity-of-critical-sectors/finance
https://finance.ec.europa.eu/news/digital-finance-2024-12-19_en
https://www.eiopa.europa.eu/document/download/2888a8e8-4a20-4e27-ad51-7ad4e5b511f7_en?filename=5_2023-10-10_EIOPA%20Reporting%20event.pdf
https://advisera.com/dora-regulation/
https://www.openkritis.de/eu/dora-digital-operational-resilience-act_nis-2_en.html