DORA – Digital Operational Resilience Act – regulation memo

The European Commission introduced in September 2020 a proposal for a regulation on digital operational resilience for the financial sector, commonly referred to as the Digital Operational Resilience Act (DORA).

Future matters: unlocking the potential of regulated digital assets
Get to grips with the global regulatory landscape for digital assets and learn more about our experiments with digital asset and DLT processess

The European Commission introduced in September 2020 a proposal for a regulation on digital operational resilience for the financial sector, commonly referred to as the Digital Operational Resilience Act (DORA), as part of its digital finance strategy.

The Digital Operational Resilience Act, or DORA, promotes a common set of rules and standards to mitigate Information and Communications Technology (ICT) risks for financial entities. One of the objectives of DORA is to prevent increased fragmentation of rules applicable to ICT risk management.

Furthermore, the European Commission considers that the financial entities in the scope of DORA are not all equally exposed to ICT risks. In fact, various factors such as the size of an entity, its functions or business profile may affect its exposure to ICT risks.

Therefore, ICT risks have to be managed in a coherent, proportionate and consistent manner.

About DORA – Digital Operational Resilience Act

The Digital Operational Resilience Act will apply directly across the European Union (EU) without any need for national implementation laws, thus achieving for the first time a homogeneous application of principles and rules addressing ICT risks management for the financial sector.

EU Digital finance package: get the full picture

Markets in Crypto-Assets regulation

Read our regulation memo to find out what MiCA means for the future of digital assets and the European Union’s digital finance strategy.

DLT Pilot Regime

Market participants can benefit from regulatory exemptions through the DLT Pilot Regime. Find out more in our regulation memo.

What is the legislative timeline of the Digital Operational Resilience Act?

The legislative timeline of DORA is as follows:

  • 10 May 2022: the inter-institutional negotiation phase ended up with a provisional agreement reached between the European Parliament and Council.
  • November 2022: plenary vote is expected by November 2022 with a publication in the Official Journal to follow.
  • 2024: the regulation is likely to enter into application by the end of 2024, subject to adoption of level 2 measures. The level 2 mandate is important in DORA’s context as certain critical elements are expected to be covered (e.g. RTS on ICT incidents and cyber threat classification, RTS on reporting of major ICT and cyber incidents to authorities, RTS on key contractual provisions).

DORA’s five pillars

DORA and ICT risk management

Financial entities have to have internal governance and control frameworks that ensure an effective and prudent management of all ICT risks[1] to bring about a high level of digital operational resilience.

Financial entities shall be prepared to manage risks ranging notably from the decision to provide services to the communication of a potential major ICT-related incident. The compliance with all ICT risk management obligations will however depend on the profile of the entity. Indeed, DORA allows small and non-interconnected actors to observe a simplified ICT risk management framework.

Prevention of ICT risks under DORA

As part of their ICT risks governance and control framework, financial entities have to use and maintain updated systems, protocols and tools. They also have to identify, classify and adequately document all ICT-related business functions, risks, systems accounts as well as all processes that are dependent on ICT third-party service providers.

Implementing security strategies, policies and protocols aiming at ensuring the resilience and continuity of ICT systems is also key in the protection and prevention of ICT risks. DORA therefore requires financial entities to design, procure and implement appropriate security strategies and policies as well as be able to detect anomalous activities.

Continuity and efficient restoration under DORA

The Digital Operational Resilience Act contains an obligation to put in place a dedicated and comprehensive ICT business continuity policy which is an integral part of financial entities’ operational business continuity policy. Such policy should notably aim at limiting damages of incidents and ensuring continuity of the financial entities’ critical or important functions.

In order to ensure efficient restoration of ICT systems and limitation of impact of disruption, financial entities also have to develop backup policies and recovery methods.

In case of significant ICT disruptions, financial entities have to perform incident reviews to analyse causes and identify improvements.

ICT-related incident reporting under DORA

As part of their ICT-related incidents management process, financial entities have to define, establish and implement a management process to detect, manage and notify ICT-related incidents.

ICT-related incidents will be classified and financial entities will have to determine the impact of any incident. In order to do so, financial entities have to consider:

– The number of users/financial counterparts affected by an incident

– The duration of the incident

– The geographical spread

– The data losses entailed by the incident

– The criticality of services affected

– The economic impact

Major ICT-related incidents have to be reported in a timely manner to the appropriate competent authority, using standardised forms of reporting templates.

Digital operational resilience testing

As part of the ICT risk management framework, financial entities have to establish, maintain and regularly review a sound and comprehensive digital operational resilience testing programme. The objective is to be able to assess and identify weaknesses, deficiencies or gaps in their digital operational resilience and to be capable of promptly implementing corrective measures.

ICT systems and tools are subject to regular tests and advanced tests to be conducted by independent parties (whether internal or external). The frequency of these tests may vary depending on the risk profile and circumstances of the financial entity concerned.

Management of ICT third-party risks

The management of ICT third-party risks is an integral component of the ICT risk management framework.

DORA defines a set of key principles for financial entities in order to achieve a sound management of ICT third-party risks and engage in a robust contractual relationship with ICT third-party service providers.

The Digital Operational Resilience Act contains elements relating to the selection of ICT third-party service providers (with prior due diligence), key contractual provisions to be included in agreements concluded with ICT third-party service providers (including termination event and exit strategies) as well as ongoing controls and oversight of critical ICT third-party service providers.

Information sharing under DORA

DORA promotes information-sharing arrangements among financial entities with a view to enhancing digital operational resilience, in particular by raising awareness of cyber threat information and intelligence, including indicators of compromise, tactics and cyber security alerts.

Information-sharing arrangements have to be concluded among trusted communities of financial entities and have to protect sensitivity of information shared, each time in compliance with applicable confidentiality rules and personal data protection principles.

Industry implications of DORA

DORA is an integral part of the digital finance package. Financial entities will have to comply with the provisions and requirements of DORA within 24 months after the regulation has entered into force. The management of cyber-security risks will undoubtedly improve and gain maturity with the harmonised and general application of DORA’s requirements and code of practice.   

In order to comply with all the requirements laid down in the regulation, financial entities have to fully assess their existing procedures, tools and standard practices related to ICT-risk management and the involvement of ICT third-party service providers.

Securities Services’ view

DORA is an important piece in the evolution of financial markets towards digitalisation. Making European financial markets ready for the digital age means that appropriate safeguards should be in place to promote a sound market and to give certainty and confidence to all participants wishing to be part of the digital revolution.

Therefore, the rules contained in DORA are likely to balance the ever-increasing exposure to ICT risks and cyber threats implied by growing dependency on technology.   

Key dates of DORA

24 September 2020 – Adoption by the Commission of the proposal for a regulation on digital assets resilience for the financial sector

24 February 2021 – European Economic and Social Committee opinion

10 May 2021 – European Data Protection Supervisor opinion

4 June 2021 – European Central Bank opinion

10 May 2022 – Provisional agreement reached between European Parliament and Council

10 November 2022 – Plenary Vote and adoption of the regulation

27 December 2022 – Publication in the Official Journal of the European Union

16 January 2023 – Entry into force of DORA

16 January 2025 – Entry into application of DORA

[1] ICT risks are defined as any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology-dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment.