Understanding DORA: Digital Operational Resilience Act Now in Effect for Financial Entities and ICT Service Providers
DORA, the first EU regulation designed to establish a unified and robust digital resilience standard for the financial sector, becomes directly applicable on January 17, 2025, introducing significant penalties and consequences for a broad range of financial entities and third-party ICT service providers.
The Digital Operational Resilience Act ("DORA"), Regulation (EU) 2022/2554, represents a pivotal step in strengthening the digital operational resilience framework for financial entities across the European Union. This regulation addresses gaps and inconsistencies of existing legal acts in terms of information and communications technology ("ICT") risk management and complements other recent EU cybersecurity laws (see our previous Alerts on the NIS 2 Directive and the Cyber Resilience Act).
Aim and Scope
DORA applies to a wide range of 20 types of financial entities, including banks, insurance companies, investment firms, management companies and crypto-asset service providers.
The legislation also imposes new obligations on the management bodies of financial entities and on "critical" ICT service providers that support financial entities, subjecting them to direct oversight by EU financial regulators.
Key Areas
To comply with DORA, in-scope financial entities must adopt robust measures across several key areas:
- Develop and maintain a comprehensive ICT risk management framework capable of identifying, monitoring, preventing and mitigating ICT-related risks, with regular reviews and internal audits.
- Establish processes to detect, respond to, and report ICT-related incidents and major operational or security payment-related incidents to the relevant supervisory authorities.
- Put in place a robust digital operational resilience testing program that includes a range of assessments and tools, such as threat-led penetration testing ("TLPT").
- Develop and regularly review ICT third-party risk management strategy, including mandatory provisions in contracts with ICT service providers and a registry of information documenting all existing contractual arrangements.
- Finally, DORA encourages, albeit does not require, financial entities to share information and intelligence about cyber threats among themselves.
Enforcement and Penalties
Supervisory authorities will oversee compliance and have wide-ranging powers, including access to documents and data, the ability to conduct on-site inspections, and authority to impose administrative penalties and remedial measures.
DORA requires Member States to establish appropriate administrative penalties and measures for non-compliance, which may include criminal fines and remediation orders. Member States may also impose personal fines and sanctions on senior management of financial entities. Critical ICT service providers may face daily fines for up to six months, calculated at 1% of their average daily global turnover.
Next Steps
Financial entities should map the ICT services and evaluate their current ICT risk management practices for compliance with DORA. Where necessary, they should update and formalize ICT governance frameworks, incident response protocols, and third-party monitoring procedures. Revising contractual arrangements with ICT service providers will also be critical for ensuring adherence to DORA's oversight and compliance obligations. Conversely, ICT service providers serving financial entities should review customer contracts to make sure they are in line with DORA requirements, and should also accordingly revisit arrangements with their subcontractors to ensure compliance across the supply chain.
