DORA - Digital Operational Resilience Act

The Digital Operational Resilience Act - DORA for short - is an EU regulation that came into force on January 16, 2023 and will apply from January 17, 2025. It aims to strengthen the IT security of financial companies such as banks, insurance companies and investment firms and to ensure that the financial sector in Europe remains resilient even in the event of serious operational disruptions. DORA harmonizes the rules related to operational resilience for the financial sector and applies to 20 different types of financial entities and third party information and communication technology providers.

Who does DORA Apply to?

• Deposit-taking institutions (CRR)
• Payment institutions
• Electronic money institutions
• Investment firms
• Crypto service providers (MiCA)
• Central securities depositories (CSD)
• Central counterparties (CCP)
• Trading venues
• Trade repositories
• Management companies
• Alternative investment fund managers (AIFM)
• Data provision services
• Insurance companies
• Reinsurance companies
• Insurance intermediaries
• Reporting (IORPs)
• rating agencies
• Securitization registers
• Swarm financing service providers
• and administrators of the aforementioned entities

Excludes: small reporting entities, small and non-interconnected investment firms and micro-entities

Why was the DORA Framework Designed?

The financial sector is increasingly dependent on technology and technology companies to provide financial services. This makes financial institutions more vulnerable to cyber-attacks or incidents.

If information and communication technology (ICT) risks are not properly managed, they can lead to disruption of cross-border financial services. This in turn can have an impact on other companies, industries and even the economy as a whole, underlining the importance of digital operational resilience in the financial sector.

Modules of the DORA Framework

• Risk Management

• Third party risk management

• Digital operational resilience testing

• IT security incidents

• Information sharing

• Monitoring of important third-party providers

DORA makes it possible at national level to define exceptions to the scope of application for certain areas, such as in the area of funding institutions.

The final drafts of the DORA framework can be found on the ESMA website.

Objectives of Dora

• Introduction of uniform and consistent standards for the entire financial sector
• Improve the security and resilience of the entire European financial sector
• Consideration of the principle of proportionality when setting requirements

Conclusion

The idea of DORA is to strengthen the digital operational capability of the EU financial sector by improving the information and communication technology (ICT) of financial firms as well as the risk management of third parties and the reporting of ICT incidents.

It is important to understand the requirements and derive the need for action and concrete measures so that a prioritized implementation plan can be drawn up. For example, specially developed DORA check-up tools can be used for the analysis, which contain a wealth of information for each requirement, such as key questions and detailed action requirements. This forms the basis for the successful implementation of DORA in the next step.