The Basics of the Digital Operational Resilience Act (DORA)
What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act (DORA) is an EU regulation designed to strengthen the cyber and operational resilience of the European financial markets. DORA came into effect on January 17, 2025, and requires financial entities to fortify their IT security, manage information and communication technology (ICT) risks and ensure business continuity in the face of cyber threats and technological disruptions.
DORA was introduced as part of the EU Digital Finance Package and recognises that the financial sector is heavily reliant on digital infrastructure. DORA harmonises rules and helps to harmonise fragmented national regulations related to ICT risk management. The aim of the act is to streamline operational resilience across all EU financial entities and critical third-party technology providers.
Who Does the DORA Apply to?
DORA has a broad scope and applies to nearly all financial entities operating within the EU, 12 of which are under the scope of the European Securities and Markets Authority (ESMA). The full scope of DORA applies to 21 different types of financial entities, including but not limited to:
-
-
- Banks and investment firms
- Payment service providers
- Trading venues (RMs, OTFs and MTFs)
- CCPs and CSDs
- Insurance firms
- ICT third-party providers
-
The Five Main Pillars of the DORA
DORA mandates that financial institutions adopt a comprehensive digital operational resilience strategy based on the following five pillars:
-
-
- ICT Risk Management
- Incident Reporting
- Digital Operational Resilience Testing
- ICT Third-Party Risk Management
- Information Sharing
-
ICT Risk Management
Financial entities must establish a robust ICT risk management framework and integrate it into their overall risk strategy. This includes governance measures, regular risk assessments and business continuity plans.
Incident Reporting
Financial institutions must implement standardised procedures for identifying, classifying and reporting significant ICT-related incidents within strict timelines. This aims to harmonise and streamline reporting and broadens the range of incidents that should be reported.
Digital Operational Resilience Testing
Financial entities must conduct regular digital operational resilience testing, including Threat-Led Penetration Testing (TLPT), every three years for critical institutions.
ICT Third-Party Risk Management
Firms must identify and monitor risks from outsourced ICT services and maintain an inventory of third-party providers. Contracts with vendors must include security clauses and cooperation requirements.
Information Sharing
DORA encourages financial institutions to share cyber threat intelligence with other market participants to enhance the collective defense against cyber risks. Financial institutions face increasingly sophisticated cyber threats and collaborative, intelligence-sharing frameworks can help firms to detect, respond to and mitigate emerging risks more effectively.
Why is the DORA important for EU markets?
DORA is designed to play an important role in European financial markets by improving financial stability across the EU and ensuring that financial institutions and their ICT providers are prepared for cyber threats and operational disruptions. By harmonising digital resilience requirements, DORA reduces the possibility of inconsistencies between national frameworks and creates a more unified and predictable regulatory landscape.
Disruption from cyber attacks and IT failures have the potential to cripple critical financial services such as payments, trading and investment management. DORA mandates that financial firms implement robust risk management measures to minimise downtime, protect consumer information and maintain trust in the financial markets.
By establishing clear oversight for ICT providers, DORA helps mitigate the risks associated with cloud computing and outsourced technology services. This is particularly relevant in the financial sector as financial institutions increasingly rely on third-party service providers for their core operations. DORA strengthens cross-border collaboration on cybersecurity and provides consistent resilience standards for financial entities within the EU, improving the stability of the financial markets.
DORA stands for the Digital Operational Resilience Act (DORA) which aims to strengthen the resilience of the EU financial sector by ensuring that financial entities and their ICT providers can identify, respond to and recover from cyber threats, IT failures and operational disruptions.
DORA holds third-party ICT providers accountable by introducing regulatory oversight for firms classed as critical ICT providers. Financial entities must assess and monitor risks associated with all ICT vendors, ensure that contracts include security and audit clauses, and maintain a register of third-party ICT dependencies.
