The European Union has introduced a landmark regulation, the Digital Operational Resilience Act (DORA), aimed at strengthening cybersecurity across the financial sector. The regulation, which entered into force on January 16, 2023, and will be fully applicable from January 17, 2025, creates a unified framework for managing information and communication technology (ICT) risks. This legislation represents a significant shift, moving away from the previous approach where financial institutions primarily managed operational risks by setting aside capital to cover potential losses.
DORA establishes uniform requirements for the security of network and information systems that support the business processes of financial entities. Its primary goal is to ensure that all firms in the financial sector can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The regulation's scope is broad, applying to 20 different types of financial entities, including banks, insurance companies, investment firms, crypto-asset service providers, and critical third-party ICT service providers.
The Five Pillars of DORA
The regulation is structured around five key pillars designed to create a comprehensive digital resilience framework.
1. ICT Risk Management: This pillar requires organizations to establish and maintain robust ICT risk management frameworks to identify and mitigate risks. An entity's management body is made responsible for defining and overseeing these frameworks.
2. ICT-Related Incident Reporting: DORA harmonizes the incident reporting process, requiring entities to classify major incidents and report them to competent authorities using standard templates and strict timelines.
3. Digital Operational Resilience Testing: Regular testing is mandated to ensure the effectiveness of existing strategies and systems. This includes basic annual testing and, for systemically important entities, more comprehensive threat-led penetration testing (TLPT) at least every three years.
4. ICT Third-Party Risk Management: DORA requires financial entities to integrate ICT third-party risk management as a core component of their overall ICT risk strategy. Entities are fully responsible for the compliance of their third-party providers and must ensure contractual arrangements include clear obligations.
5. Information Sharing: The regulation encourages the sharing of cyber threat information and intelligence among financial entities to enhance collective resilience.
Implications and Penalties
DORA implements a comprehensive set of obligations for financial entities to strengthen their cyber resilience. It also extends its reach to non-EU ICT service providers if their services are critical to the operations of EU-based financial institutions. The European Supervisory Authorities (ESAs) have the power to designate certain ICT providers as “critical,” subjecting them to direct oversight.
Non-compliance with DORA can lead to severe penalties. Financial entities can face fines of up to 2% of their total annual worldwide turnover. Critical third-party providers may face even higher fines, up to €5,000,000 for a firm or €500,000 for an individual. Furthermore, regulators can impose remedial actions, conduct inspections, and suspend contracts with non-compliant ICT providers.
As the January 17, 2025, deadline approaches, financial institutions and their ICT partners must ensure they have the necessary frameworks, processes, and contractual agreements in place to be fully compliant. Active involvement from the management body and the development of a culture of operational resilience are essential for a smooth transition into this new regulatory landscape.