4.02 Digital Operational Resilience Act (DORA)

​Nowadays, cybersecurity attacks pose a serious threat to the financial sector – they have the ability to compromise the entire system. The Digital Operational Resilience Act (DORA), as a part of the Digital Finance Regulations, aims to provide guidance to institutions in this sector, setting out rules for managing the ICT-related incidents.

 

Contents

• What is DORA?
• What are the main objectives of the DORA regulation?
• What entities does the DORA apply to?
• What kind of definitions are used in DORA?
• Key areas of DORA
• What are the expected challenges ahead of DORA?
• What actions should be taken from the perspective of financial entities?

 

What is DORA?

DORA, the Regulation of the European Parliament and of the Council on the digital operational resilience of the financial sector, is a part of the Digital Finance package.

The package also includes:

• regulation on Markets in Crypto-assets (MiCA),
• regulation on a pilot regime for market infrastructures based on distributed ledger technology (DLT).

DORA came into force on 16 January 2023 and the regulations will apply from 17 January 2025.

Currently, the general framework for cybersecurity at the EU level is defined by Directive (EU) 2016/1148 of the European Parliament and of the Council (NIS - Network and Information Systems Directive). Its amendment, the so-called NIS 2 Directive, is due to come into force soon.

DORA is expected to become the main reference point in terms of cybersecurity in the financial sector.

 

What are the main objectives of the DORA regulation?

The general goal is to increase operational digital resilience for EU financial sector entities by simplifying and improving existing regulations, as well as introducing new requirements in areas where gaps are apparent. 

The regulation aims to consolidate and update ICT (Information and Communications Technology) risk requirements contained separately in individual regulations and directives.

 

What entities does the DORA apply to?

DORA applies to the following entities:

• credit institutions,
• payment institutions,
• electronic money institutions,
• investment firms,
• crypto-asset service providers, issuers of crypto-assets, issuers of asset- referenced tokens and issuers of significant asset-referenced tokens,
• central securities depositories,
• central counterparties,
• trading venues,
• trade repositories,
• managers of alternative investment funds,
• management companies,
• data reporting service providers,
• insurance and reinsurance undertakings,
• insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries,
• institutions for occupational retirement pensions,
• credit rating agencies,
• statutory auditors and audit firms,
• administrators of critical benchmarks,
• crowdfunding service providers,
• securitisation repositories,
• ICT third-party service providers.

 

What kind of definitions are used in DORA?

• Digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity from a technological perspective by ensuring, either directly or indirectly, through the use of services of ICT third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity makes use of, and which support the continued provision of financial services and their quality.
• ICT-related incident means an unforeseen identified occurrence in the network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has adverse effects on the availability, confidentiality, continuity or authenticity of financial services provided by the financial entity.
• ICT risk means any reasonably identifiable circumstance in relation to the use of network and information systems – including a malfunction, capacity overrun, failure, disruption, impairment, misuse, loss or other type of malicious or non-malicious event – which, if materialised, may compromise the security of the network and information systems, of any technology-dependant tool or process, of the operation and process’ running, or of the provision of services (…).
• ICT third-party service provider means an undertaking providing digital and data services, including providers of cloud computing services, software, data analytics services, data centres, but excluding providers of hardware components and undertakings authorised under Union law which provide electronic communication services.

 

Key areas of DORA

DORA consists of 5 key areas:

​
 

• ICT risk management – comprehensive and well-documented ICT risk management framework (strategies, policies, protocols and tools necessary for the proper and effective protection of the infrastructure) that is reviewed at least once a year.
  • Identification, classification and documentation of ICT-related business functions,
  • Development of an information security policy,
  • Having mechanisms to quickly detect abnormal activities,
  • Implementing a comprehensive ICT business continuity policy,
  • Backup policy,
  • Conclusions from tests and incidents,
  • Mandatory training for staff (employees and executives),
  • Communication plans enabling a responsible disclosure of ICT-related incidents or major vulnerabilities to clients and counterparts.
• ICT-related incidents – management, classification and reporting – processes to ensure ICT-related incident monitoring and corrective actions.
  • Classification of incidents and determination of their impact based on certain criteria (including incident duration, number of users affected, criticality of services affected),
  • Reporting of major incidents to the relevant competent authority (an initial notification, an intermediate and a final report).
• Digital operational resilience testing – testing of all key ICT systems and applications at least once a year. The testing program includes:
  • Open source analysis,
  • Network security assessments,
  • Scenario testing,
  • Performance testing,
  • Penetration testing (entities other than micro-enterprises should conduct advanced testing at least once every three years using penetration testing for threat searches – testing documentation is to be approved by the relevant authorities).
• Managing ICT third-party risk – all processes related to cooperating with external providers.
  • Assessment of the provider,
  • Implementing an exit strategy (the ability to withdraw from contractual arrangements with the ICT service provider) and developing a transition plan that will not disrupt systems and damage the continuity and quality of services provided,
  • Contracts with ICT service providers (in writing) which include the services level agreements,
  • Determination of the key external ICT service providers, 
  • Periodic fines for the key external ICT service providers.
• Information sharing arrangements – the ability for financial entities to share information about cyber threats and the results of analysis of such a cyber threat, including:
  • Signs of a breach of system integrity,
  • Tactics,
  • Techniques and procedures,
  • Cyber security warnings,
  • Configuration tools.

 

Within each of the key areas, DORA requires financial entities to comply with a number of requirements with respect to various aspects within ICT and digital security. Thus, it provides a comprehensive* framework for the digital resilience of financial entities.

* European Supervisory Authorities are expected to prepare and publish regulatory technical standards regarding the guidelines contained in the regulation to concretize the requirements.

 

What are the expected challenges ahead of DORA?

• Eliminating overlapping regulations and regulatory inconsistencies and gaps,
• Increasing information sharing and cooperation on cyber threat analysis to enable individual financial entities to properly assess, monitor, defend against and respond to cyber threats,
• Standardizing ICT incident reporting requirements so that supervisors have a complete picture of the nature, frequency, significance and impact of incidents,
• Reducing compliance costs for financial entities, especially for financial entities with cross-border operations.

 

What actions should be taken from the perspective of financial entities?

• Align processes and practices with the regulation's guidelines, including policies on information security, business continuity, incident response and disaster recovery,
• Prepare to conduct periodic assessments and reports,
• Identify and review all ICT service providers, associated contracts and documentation.