Table of Contents
What is DORA?
The Digital Operational Resilience Act also known as DORA (Regulation (EU) 2022/2554) is an EU Regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims to strengthen the IT security of the financial entities while making sure that the financial sector in the EU can stay resilient in the event of a severe operational disruption.
DORA explicitly refers to Information and communication technology (ICT) risks and sets rules on risk management. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardize the soundness of the entire financial system. The Regulation lays down uniform requirements concerning the security of network and information systems supporting solely the business processes of financial entities.
Who is DORA targeting?
DORA Regulation harmonizes the rules relating to the operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party services providers. This includes traditional financial entities, such as banks, investment firms, and credit institutions as well as non-traditional entities, including crypto-asset service providers and crowdfunding platforms.
Notably the Regulation applies to some entities typically excluded from financial regulations, which are third-party service providers that supply financial services with ICT systems. Additionally, DORA covers critical third-party information services, such as credit rating services and data analytics providers.
Why is DORA needed?
The financial sector is increasingly independent on technology to deliver services. Financial entities are vulnerable to cyber-attacks and incidents, which may lead to disruption of financial services across the borders. This may have an impact on other companies, sectors and on the rest of the economy, which underlines the importance of the digital resilience of the financial sector.
Estonian Cybersecurity Act does not regulate ICT services whatsoever, whereas DORA covers principles and requirements on ICT risk management frameworks and sets out the general requirements for reporting ICT-related incidents. Additionally, the Regulation encourages entities to share information on cyber threats and collectively leverage their individual knowledge and practical experiences.
How to put DORA in practice?
DORA follows the principle of proportionality, meaning that financial entities shall implement the Regulation considering their size and overall risk profile, and the nature, scale, and complexity of their services.
The management bodies of each financial entity hold the ultimate responsibility for all ICT-risk management from overseeing to implementing the necessary arrangements for risk management frameworks. The frameworks shall include comprehensive strategies and protocols as well as tools to protect ICT assets and physical infrastructure. The systems in place must be appropriate, reliable, and technologically resilient. Additionally, annual reviews, audits, and risk assessments are obligatory to perform.
Furthermore, there must be defined and implemented ICT-related incident management processes in place to detect, manage, and notify such incidents. Financial entities are obligated to report all major ICT incidents to the relevant competent authorities.
What is next?
The European Commission is developing an oversight framework for critical ICT providers, which is expected to be finalized in 2024. In January 2024, the European Supervisory Authorities (ESAs) published the first set of rules under DORA for ICT and third-party risk management and incident classification, and there is yet more to come later this June. By 17 January 2025, all financial entities and third-party ICT service providers must comply with the Digital Operational Resilience Act as the relevant competent authorities shall have all supervisory, investigatory as well as sanctioning powers.