The European Union has introduced a landmark piece of legislation for the financial sector, the Digital Operational Resilience Act (DORA), aimed at strengthening the information and communication technology (ICT) security of all financial entities. The regulation entered into force on January 16, 2023, and will apply from January 17, 2025. DORA creates a harmonized framework for managing and mitigating ICT risk, ensuring the financial sector can withstand, respond to, and recover from all types of ICT-related disruptions and threats.
The need for DORA arose from the financial sector's increasing dependency on technology and tech companies. Prior to DORA, regulations primarily focused on ensuring firms had enough capital to cover operational risks, but this approach failed to fully encompass operational resilience against ICT risks. The legislation aims to harmonize rules across the EU, removing the gaps and conflicts that could arise from disparate regulations in different member states.
The Five Key Pillars of DORA
DORA is structured around five crucial pillars designed to provide a comprehensive approach to digital resilience:
1. ICT Risk Management: Financial entities are required to set up and maintain resilient ICT systems and tools that minimize the impact of ICT risk. This includes implementing a documented ICT risk management framework, continuously identifying all sources of ICT risk, setting up protection and prevention measures, promptly detecting anomalous activities, and putting in place business continuity policies and disaster recovery plans.
2. ICT-Related Incident Reporting: The regulation imposes strict incident reporting requirements. Financial entities must report major ICT-related incidents to the competent authorities. The process involves an initial notification, an intermediate report, and a final report. The initial notification must be made within four hours of classifying the incident as major, and no later than 24 hours from when the entity becomes aware of it. Entities are also encouraged to voluntarily report significant cyber threats.
3. Digital Operational Resilience Testing: Regular testing of ICT systems and tools is required to identify vulnerabilities. All entities, except for microenterprises, must perform annual basic testing. Furthermore, critical entities must undergo advanced testing, known as Threat-Led Penetration Testing (TLPT), at least every three years to test their live production functions.
4. ICT Third-Party Risk Management: DORA acknowledges the risks posed by external ICT service providers, such as cloud platforms. Financial entities remain fully responsible for complying with their obligations when using third-party providers. The regulation requires entities to monitor third-party risk, ensure contracts include specific provisions, and establish an oversight framework for critical ICT providers. Entities must also maintain a register of information on all contractual arrangements with ICT service providers.
5. Information Sharing: To enhance collective defense, DORA encourages financial entities to exchange cyber threat information and intelligence among themselves.
Scope and Consequences
DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU. The scope is broad, covering banks, insurance companies, investment firms, crypto-asset service providers, and critical third-party ICT providers. Its reach extends to non-EU ICT providers if their services are critical to the operations of EU-based financial institutions.
Non-compliance with DORA can lead to significant penalties. Firms that violate DORA's requirements face fines of up to 2% of their total annual worldwide turnover. Member states can also impose criminal penalties for severe violations. As the January 17, 2025, deadline approaches, financial entities and their ICT partners must ensure they have the necessary frameworks in place to meet the regulation's extensive obligations, thereby bolstering the stability and security of the entire European financial system.