What is DORA?
The Digital Operational Resilience Act or DORA is the EU’s proposed digital finance package, seeking to improve ICT resilience standards within the financial sector. The legislation oversees any companies that indirectly deal with the financial sector too, including IT operations in particular seeking to harmonise digital resilience in the European Union through the introduction of requirements on ICT risk management, third party lifecycle management and ICT-related incident reporting.
DORA will form a regulatory framework on digital operational resilience whereby all in scope entities must ensure they can withstand all types of ICT-related disruptions and threats.
It will ensure that participants of financial systems are subject to a common set of standards to manage ICT risks and ensure safeguards are in place to protect, detect, identify, respond and recover from cyber-attacks.
It comprises 5 main requirements:
- ICT Risk Management: Adopt ICT governance and control frameworks, including an IT risk management framework to be documented and reviewed at least annually incorporating:
- Identification
- Protection and prevention
- Detection
- Response and recovery
- Learning and evolving
- ICT Incident Reporting: Streamline ICT incident reporting through the logging and classification of ICT incidents and reporting of major incidents to competent authorities using common templates and procedures.
- Digital Operational Resilience Testing: Performance of basic digital operational resilience testing at least yearly for all financial entities, and advanced threat-led penetration testing at least every 3 years.
- Management of ICT Third-Party Risk: Monitor third-party contractual arrangements at all stages and enable European Supervisory Authorities (ESAs) oversight of ICT third-party service providers deemed ‘critical’ by ESAs.
- Information-Sharing Arrangements: Voluntary participation in intelligence sharing through the exchange of cyber threat information among financial entities, including tactics, procedures, and signs of compromise.
Once the DORA proposal is formally adopted, it will be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.