Digital Operational Resilience Act

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) was published in the Official Journal of the European Union on 16th of January 2023 and will come into force from 17th January 2025. The regulation was created with the intention of replacing and harmonising existing guidelines related to cybersecurity resilience . With this regulation in place, ICT service providers will be held responsible for the services they provide to financial entities. They will be under the supervision of the locally appointed authority which will be required to report back to the European Supervisory Authorities (ESA). These regulations are designed to assist the financial sector obtain a higher standard of ICT services from their providers by identifying the controls that must be taken into consideration when contracting an ICT service provider.

Before DORA, financial entities managed their operational risk mainly by allocating capital in their budget, but they did not manage all components of operational resilience. With the implementation of the requirements listed in and enforced by DORA, financial entities will be required to implement adequate governance over their ICT providers in order to detect, contain and recovery from ICT related incidents.

Effected Entities 
DORA impacts entities that form part of the financial industry and ICT third party service providers that are contracted by financial entities. 

Financial Entities

ICT Third-Party Service Providers

  • Credit institutions
  • Payment institutions and electronic money institutions
  • Account information service providers
  • Investment firms 
  • Crypto-asset service providers 
  • Central securities depositories
  • Central counterparties
  • Trading venues and trade repositories
  • AIFMs and management companies
  • Data reporting service providers
  • Insurance and reinsurance undertakings and intermediaries
  • Institutions for occupational retirement provision 
  • Credit rating agencies
  • Administrators of critical benchmarks
  • Crowdfunding service providers
  • Securitisation repositories

ICT third-party service provider means an undertaking providing digital and data services, including providers of

  • Cloud computing services
  • Software, data analytics services
  • Data centres
  • Critical ICT third-party service provider*

    *Designated as critical in accordance with Article 31

The 5 Pillars of DORA

This pillar mandates that financial entities establish and maintain a robust ICT (Information and Communication Technology) risk management framework. The framework must be integrated into the overall risk management system and should cover all aspects of ICT risk, including cybersecurity, ICT dependencies, and critical third-party service providers.

Key Requirements:

  • Develop a comprehensive ICT risk management strategy.
  • Implement procedures to identify, assess, and mitigate ICT risks.
  • Ensure continuous monitoring and review of ICT risks.
  • Integrate ICT risk management into the corporate governance structure.

DORA introduces standardized requirements for reporting ICT-related incidents. This aims to improve the detection and response to ICT incidents, ensuring that significant disruptions are promptly communicated to relevant authorities.

Key Requirements:

  • Establish processes for identifying and classifying ICT incidents.
  • Report significant ICT incidents to competent authorities within specified timelines.
  • Provide detailed incident reports, including root cause analysis and remediation actions.
  • Ensure transparency with stakeholders regarding significant ICT incidents.

Financial entities must conduct regular and comprehensive testing of their digital operational resilience. This includes various types of tests, such as vulnerability assessments, penetration testing, and advanced threat-led penetration testing (TLPT).

Key Requirements:

  • Develop a testing framework that covers all critical ICT systems and services.
  • Conduct regular tests to evaluate the effectiveness of ICT risk management controls.
  • Involve independent parties in advanced testing exercises.
  • Remediate identified weaknesses and gaps promptly.

DORA places a strong emphasis on managing risks associated with ICT third-party service providers. Financial entities must ensure that their ICT third-party providers adhere to stringent security and resilience standards.

Key Requirements:

  • Conduct thorough due diligence before engaging ICT third-party providers.
  • Establish contractual agreements that include clear ICT risk management and resilience requirements.
  • Monitor the performance and security practices of third-party providers continuously.
  • Have contingency plans in place for critical third-party service failures.

To enhance the overall cybersecurity posture of the financial sector, DORA encourages the sharing of cyber threat information and intelligence among financial entities and competent authorities.

Key Requirements:

  • Participate in information-sharing arrangements and forums.
  • Share relevant cyber threat intelligence in a timely and secure manner.
  • Utilize shared information to improve ICT risk management practices.
  • Collaborate with other financial entities and authorities to address common threats.

Before the act is to be put into force, Regulatory Technical Standard (RTS) and Implementing Technical Standards (ITS) have been released for consultation  for entities to better understand the intentions of the regulation and have the chance to provide feedback and question the regulation. With the help of the RTSs and the ITSs, the regulation's requirements are more detailed which help guide entities during implementation. These documents further supports the ideology of the regulation which is to harmonise ICT reporting and operations of financial entities in EU Member States.



DORA implements the principal of proportionality which means that entities shall implement the requirements based on size and overall risk profile

A 'micro enterprise' is defined by DORA as a financial entity which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed €2 million.
A 'small enterprise' is defined by DORA as a financial entity which employs between 10 to 50 persons, and has an annual turnover and/or annual balance sheet total that falls between €2 to €10 million.
  • RTS to specify the policy on ICT services performed by ICT third-party provider - (Article 28(10))
  • RTS on criteria for the classification of ICT-related incidents (Article 18(3))
  • ITS to establish the templates for the register of information (Article 28(9))
  • RTS on ICT risk management framework (Article 15)
  • RTS on simplified ICT risk management framework (Article 16(3))
  • RTS and ITS on content, timeline and templates on incident reporting
  • GL on aggregated costs and losses from major incidents
  • RTS on subcontracting of critical or important - functions
  • RTS on oversight harmonisation
  • GL on oversight cooperation between ESAs and competent authorities
  • RTS on threat-led penetration testing

NIS2 and DORA may seem complex when it comes to implementation. Therefore, it is important that entities are capable of understanding them individually before attempting to map the two frameworks to understand how they complement each other. It is also important to note that DORA takes precedence over the NIS2 Directive.

Both the NIS2 and DORA frameworks are European Union (EU) regulations which are applicable to entities in and/or based in the EU. These regulations work toward improving the cybersecurity resilience of entities providing critical services within the EU.

The NIS2 directive will come into force in October 2024. It is designed with the intention of focusing on the cybersecurity responsibilities of EU Member States, aligning their national strategies and processes with directive requirements. NIS2 expands on the NIS directive from 2016 by introducing more essential entities and important entities.

The difference between the two directives being the criticality of their services.

What to do?
☑ Contact an advisory firm
☑ Understand DORA's impact on your entity 
☑ Leverage DORA RTSs and ITSs for control identification and embedment
☑ Assign implementation responsibilities
☑ Foster a risk awareness culture
☑ Conduct ICT awareness training
☑ Continuous monitoring and implementation review 

How can we help?
☑ Independent Assessment and Testing
☑ Project Management 
☑ Technical implementation expertise
☑ DORA and ERM related technologies