Digital Operational Resilience Act (DORA)

(c) Gillaume Perigois / Unsplash

The Digital Operational Resilience Act,  in short DORA, is new regulation that aims to strengthen the resilience of the financial sector. This because the financial sector as a whole extensively relies on ICT, which brings its own set of risks.

DORA is actually part of the EU Digital Finance Package (which also focuses on crypto-assets), and tries to align several ongoing security / resilience related initiatives:

  • EBA guidelines on ICT and security risk management
  • NIS Directive (and the upcoming NIS2 directive)
  • EBA guidelines on outsourcing
  • (and others)

Fun fact: DORA applies to "crypto-asset service providers, issuers of crypto-assets, issuers of asset-referenced tokens and issuers of significant asset-referenced tokens"

Now, on to the interesting parts, DORA prescribes the following requirements.

Please note that these requirements are actually nothing new for existing financial institutions (TradFi). DORA will more or less align and/or streamline current security & IT risk measures which is a welcome change for once. 👍

ICT risk management

  • Governance and organisation
  • ICT risk management framework
  • ICT systems, protocols and tools
  • Identification
  • Protection and prevention
  • Detection
  • Response and recovery
  • Backup policies, restoration and recovery methods
  • Learning and evolving
  • Communication
  • Further organisation of ICT risk management tools, methods, processes and policies
  • Simplified ICT risk management framework

ICT-related incident management, classification and reporting

  • ICT-related incident management process
  • Classification of ICT-related incidents and cyber threats
  • Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
  • Harmonisation of reporting content and templates
  • Centralisation of reporting of major ICT-related incidents
  • Supervisory feedback
  • Operational or security payment-related incidents concerning credit institutions, payment institutions, account information service providers, and electronic money institutions

Digital operational resilience testing

  • General requirements for the performance of digital operational resilience testing
  • Testing of ICT tools and systems
  • Advanced testing of ICT tools, systems and processes based on threat led penetration testing
  • Requirements for testers

ICT third-party risk

Key principles for sound management of ICT third party risk
  • General principles
  • Preliminary assessment of ICT concentration risk and further sub-outsourcing arrangements
  • Key contractual provisions
Oversight framework of critical ICT third-party service providers
  • Designation of critical ICT third-party service providers
  • Structure of the Oversight Framework
  • Tasks of the Lead Overseer
  • Powers of the Lead Overseer
  • Request for Information
  • General investigations 
  •  On-site inspections 
  •  Ongoing Oversight 
  • Harmonisation of conditions enabling the conduct of the Oversight
  •  Follow-up by competent authorities 
  •  Oversight fees 
  •  International cooperation 

Information sharing

  • Information-sharing arrangements on cyber threat information and intelligence

Competent authorities

  • Another 9 articles 😅, but the most important aspects are: Administrative penalties (including criminal penalties) and remedial measures

You can download a copy of the proposed regulation here: Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014