In an era where digital operations are pivotal to the functioning of the financial sector, maintaining operational resilience is not just a necessity but a regulatory requirement. The Digital Operational Resilience Act (DORA) is a groundbreaking legislative framework from the European Union (EU) that will apply to financial sector organisations operating in Europe from 17 January 2025.
Are you ready?
The objectives of DORA
DORA is designed to ensure that all entities in the financial system have the necessary safeguards to mitigate cyber threats and IT disruptions, consolidating and enhancing their digital operational resilience to prevent, withstand and recover from such incidents. It applies to a broad spectrum of financial entities, including banks, insurance companies, investment firms, crypto-asset service providers, and even critical third-party service providers such as cloud computing services.
The challenges of implementing DORA
Although DORA aims to safeguard financial stability, its implementation comes with a set of challenges, including how to
- align existing IT infrastructure and operations to meet its stringent requirements
- ensure continuous compliance with evolving IT risk management requirements
- manage and oversee third-party risks, especially in areas like cloud services and critical IT utilities.
An overview of the five pillars of DORA
When drawing up the objectives of DORA, the regulators provided the following pillars to help organisations structure their approach:
- IT risk management requirements: Establishing robust mechanisms to identify, measure and mitigate IT risks.
- Incident reporting mechanism: Mandatory reporting of major IT-related incidents to national and EU authorities.
- Digital operational resilience testing: Regular testing to assess the resilience of IT systems and infrastructures.
- Management of IT third-party risk: All financial entities must ensure that their third-party service providers adhere to stringent resilience standards.
- Information sharing: Encouraging sharing of cyber threat intelligence and best practices among financial entities without breaching confidentiality obligations.
Implementation timeline
2022: Approval by the European Parliament
2023: Entering into force (January)
2024: Additional regulation on specific technical areas to be issued (RTS and ITS)
- First set of rules (January 2024)
- Second set of rules (July 2024)
2025: Requirements enforceable (January 17th)