What is DORA and why is the regulation important for financial institutions?

DORA stands for the Digital Operational Resilience Act, an EU regulation that comes into effect in January 2025. The goal of the regulation is to make the various IT systems used within the financial sector more robust.

The background is that the financial sector is increasingly dependent on both in-house and outsourced technology to deliver its services, and that the financial sector is crucial for society and the economy to function.

Poor management of ICT risks can lead to disruptions in financial services. This will affect individuals, businesses, and the entire economy. This is where DORA comes in to ensure that all entities in the financial sector can handle these challenges.

The regulation covers five main areas:

1. ICT risk management

Requirements for corporate governance and a risk management framework. Financial entities must have a framework for governance and control in line with the three lines of defense (see below).

2. Incident management

Financial entities must have a procedure to detect, manage, and report incidents. There are requirements for what the procedure should include, how entities should classify incidents, when incidents should be reported, and how they should be reported.

3. Testing of digital resilience

Threat-based penetration testing (TLPT) must be conducted at least every three years. DORA sets requirements for execution, who is qualified to test, and how tests should be followed up.

4. Third-party risk management

Risk management covers vendor risk related to both ICT services and ICT outsourcing. DORA sets requirements for assessments before an agreement is made, how the agreement should be followed up, and what the agreement must contain.

5. Information sharing

Financial entities must share information about cyber threats and vulnerabilities across organizations and with relevant authorities. This includes reporting IT incidents, sharing threat information, and collaborating to improve cybersecurity.

In the first point above—ICT risk management—the three lines of defense are mentioned. They are:

• First line: Operational management, which is responsible for identifying and managing risks directly in their daily activities.
• Second line: Risk management and compliance functions, which monitor and ensure that risks are managed correctly.
• Third line: Internal audit, which independently assesses the effectiveness of governance, risk management, and control processes.

DORA in a historical context

Financial markets and the digital threats the sector faces have become increasingly globalized. However, there has not been a unified European framework for ICT security in finance. Resilience and ICT security requirements have instead been regulated by each country, increasing the risk that unwanted incidents can spread across borders.

In addition to national rules, there have been EU requirements covering ICT security in only parts of the financial sector. These have often been developed by the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), or the European Insurance and Occupational Pensions Authority (EIOPA).

Since rules for IT risk have only been partially harmonized at the EU level, there are gaps and overlapping rules, especially in the reporting of ICT incidents and penetration testing. This creates problems for the financial sector, which is dependent on technology and operates across borders. When financial institutions must follow different national rules, it becomes challenging and costly to manage IT risks effectively.

To consolidate and significantly expand the pan-European rules on ICT risk management in the financial sector, the EU adopted Regulation (EU) 2022/2554 on digital operational resilience in December 2022, which is better known as DORA.

With DORA, we get comprehensive legislation for ICT security in finance that will be uniform across all EU countries. We are talking about a real big fix. DORA involves legislation that is both more effective and easier for financial entities to adhere to. DORA comes into force in January 2025.

Although DORA is new, the regulation builds on existing guidelines developed by the aforementioned European financial supervisory authorities. The requirements are related to various areas known from ICT risk management: identification, protection and prevention, detection, response and recovery, third-party risk management, learning, development, and communication.

How DORA affects financial stability and digital resilience

The importance of stability in the financial sector, and the role technology plays in ensuring this, is largely the basis for the adoption of DORA. DORA impacts financial stability through the requirements it sets for digital resilience.

In short, it's about preventing incidents through governance and control, proper handling of unwanted incidents, regular testing of current systems, and how outsourced services are managed. Let's take a closer look at four areas and what (some of) the requirements mean in practice:

1. Requirements for the ICT risk management framework: The goal is for the framework to enable the entity to manage ICT risk quickly, effectively, and comprehensively. Therefore, there are requirements to develop strategies, guidelines, and procedures for various parts of the ICT business, how often the framework should be reviewed, and requirements for internal audits. This is further strengthened by requirements for regular training and mapping of the technology used.
   
   
2. Requirements for handling ICT incidents: Financial entities must log all ICT incidents and serious cyber threats. They must also have procedures for monitoring, managing, and following up. This is to identify, document, and address the root cause to prevent recurrence. Here too, there are requirements for employee learning and development.
   
   
3. Requirements for regular penetration tests: At least every three years, threat-based testing of the digital resilience of the financial entity's own and outsourced ICT solutions must be conducted. The goal is to assess readiness for handling ICT incidents and identify weaknesses, deficiencies, and deviations in digital resilience, as well as provide a basis for quickly implementing improvement measures.
   
   
4. Requirements for managing third parties—external ICT providers: DORA sets requirements for a risk-based approach when financial entities enter into agreements with external ICT providers. All entities must have a register that provides an overview of the use of services from ICT providers. It must register which services support critical or important functions, and this register must be available to supervisory authorities.

Industries affected by DORA

• Credit institutions   
• Payment institutions 
• Account information service providers   
• Electronic money institutions   
• Investment firms
• Crypto-asset service providers    
• Central securities depositories    
• Central counterparties
• Trading venues 
• Trade repositories   
• Managers of alternative investment funds
• Management companies
• Data reporting service providers 
• Insurance and reinsurance undertakings
• Insurance intermediaries 
• Reinsurance intermediaries
• Institutions for occupational
• Retirement provision 
• Credit rating agencies
• Administrators of critical benchmarks  
• Crowdfunding service providers 
• Securitisation repositories ·    
• ICT third-party service providers
  
  

Most companies in the financial sector are covered by DORA, with some exceptions. Auditors, accountants, real estate agents, and debt collection agencies are generally not included under the regulations.

Why DORA is important for cyber threats

At an overall level, DORA's goal is to create high digital resilience across the EU by introducing common requirements for the security of networks and information systems that support financial services. DORA is important for preventing cyber threats for several reasons, not least:

• The scope of cyber threats in the world is increasing, and they are cross-border and becoming more sophisticated.
• DORA sets stricter requirements for financial entities to actually comply with regulations to protect themselves against cyber threats.
• With uniform requirements throughout the EU, financial entities can have a more holistic approach to cyber threats.

The main goal of DORA is to prevent and protect the financial sector from cyber threats that could harm each financial entity. The regulation also ensures that companies can handle incidents and recover from all types of ICT-related problems.

 Book a digital demo of our solution for DORA in the calendar