DORA Regulation (Digital Operational Resilience Act): Everything You Need to Know

What is its goal?

The DORA Regulation aims to ensure a high common level of digital operational resilience for financial entities by defining uniform requirements for the security of networks and information systems. Digital operational resilience refers to the ability of a financial entity to maintain and protect its operations while ensuring the integrity and reliability of its IT systems. This includes managing both its own technological resources and those provided by third-party ICT (Information and Communication Technology) service providers. This resilience ensures that the entity can continue to provide its financial services without interruption, even in the event of disruptions or cyberattacks, thus preventing systemic crisis risks.

It covers managing risks related to ICT, reporting major incidents to competent authorities, conducting digital resilience tests, sharing information on cyber threats, and managing risks linked to third-party ICT service providers. It also establishes a supervisory framework for critical ICT service providers and strengthens cooperation among competent authorities.

Which sectors are covered by DORA?

The DORA Regulation applies to a wide range of financial entities, including: banks, payment institutions, account information service providers, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading platforms, central repositories, alternative investment fund managers, management companies, insurance and reinsurance companies, insurance intermediaries, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, and ICT service providers. DORA aims to apply to all key actors in the European financial sector.

Which actors are affected by DORA?

All the financial entities listed above fall under the scope of the regulation. However, the regulation applies the principle of proportionality. Financial entities must adapt digital security rules according to their size, risk profile, and service complexity. This means that smaller businesses or those with less complex activities are not required to follow the same measures as larger financial institutions. However, they must apply the measures appropriately to their own situation. Competent authorities will consider this proportionality when assessing whether these entities are effectively managing ICT-related risks.

What are the concrete obligations for the affected entities?

The DORA Regulation requires financial entities to develop a comprehensive risk management strategy for ICT-related risks. This includes setting up a governance and control framework under the supervision of the management body (Article 5), a documented ICT risk management framework (Article 6), the use of reliable and up-to-date systems (Article 7), the identification and documentation of critical ICT assets (Article 8), risk protection and prevention (Article 9), rapid incident detection (Article 10), business continuity and recovery plans (Article 11), backup and restoration policies (Article 12), post-incident reviews to improve resilience (Article 13), and crisis communication plans (Article 14).

Entities must also document and reassess their policies annually to ensure they remain suitable for new threats and technological developments.

Focus on the obligations related to "management, classification, and notification of ICT-related incidents"

In particular, financial entities must define, establish, and implement a rigorous ICT incident management process to detect, manage, and report these incidents (Article 17). This process includes establishing early warning indicators, incident classification procedures, communication plans, and notifications to management members. Entities must also classify incidents and cyber threats according to specific criteria (Article 18) and report major incidents to competent authorities (Article 19). They can voluntarily report significant cyber threats but must always inform their customers about major incidents.

The affected entities must submit initial notifications, interim reports, and final reports to the competent authorities, but they may outsource these obligations to third-party service providers. The competent authorities must assess the relevance of incidents for other member states and provide feedback to financial entities. Finally, the requirements also apply to operational or security incidents related to payments (Article 23).

Focus on the obligations related to "operational resilience testing"

The DORA Regulation requires financial entities, other than microenterprises, to implement a solid and comprehensive digital operational resilience testing program. This includes assessments, tests, methodologies, practices, and specific tools such as vulnerability testing, open-source analysis, penetration testing, and performance testing.

The tests must be performed by independent internal or external parties, and entities must prioritize, classify, and address any issues identified during the tests.

ICT systems and applications supporting critical functions must be tested at least once a year.

Financial entities must also conduct threat-based penetration tests, engaging external testers every third test when using internal testers.

Competent authorities can designate the financial entities required to carry out these tests and delegate certain tasks to other national authorities.

European Supervisory Authorities (ESAs) are responsible for developing regulatory technical standards to clarify the criteria and requirements for threat-based penetration testing, taking into account the specifics of each financial sub-sector.

What are the penalties for non-compliance?

The regulation provides for administrative sanctions and corrective measures to ensure compliance with its provisions.

Competent authorities have supervisory, investigatory, and sanctioning powers to carry out their tasks. They can access any relevant documents or data, conduct on-site inspections, interview representatives of financial entities, and impose corrective measures in case of non-compliance.

Member states are responsible for setting administrative sanctions and corrective measures that are appropriate, effective, proportionate, and dissuasive. These sanctions may include injunctions, requirements to cease harmful practices, fines, data recording, and public communications.

Competent authorities can apply these sanctions directly, in collaboration with other authorities, by delegation, or by referral to judicial authorities.

However, sanction decisions must be justified and can be subject to appeal.