Introduction
The Digital Operational Resilience Act (DORA) is a comprehensive regulation by the European Union, set to take effect on January 17, 2025. It aims to enhance digital security and resilience within the financial sector, encompassing a wide range of entities such as banks, insurance companies [1] [3] [5] [7] [8], and crypto asset providers [3]. DORA addresses the risks associated with outsourcing and mandates robust IT systems to withstand cyber-attacks and ensure operational continuity.
Description
The Digital Operational Resilience Act (DORA) [1] [2] [3] [4] [6] [7] [8] [10], effective January 17, 2025 [5] [10], is a comprehensive EU regulation designed to enhance digital security within the financial sector [5], which includes banks [3], insurance companies [1] [3] [5] [7] [8], investment firms [3] [7] [8], pension funds [3], payment providers [3], trading venues [1] [3], and crypto asset providers [3]. DORA aims to bolster the digital resilience of these entities while addressing outsourcing risks, mandating that they establish IT systems capable of withstanding cyber-attacks and maintaining operational continuity during IT failures [5].
This regulation imposes direct and indirect requirements on Information and Communication Technology (ICT) service providers that support these financial institutions. DORA adopts a risk-based approach to categorize ICT service providers into three groups. Critical ICT Third-Party Service Providers (CTPPs) are designated by EU authorities based on their limited substitutability [4], systemic impact [4], and essential roles in supporting critical functions of financial entities. CTPPs are subject to stringent oversight [4], with a lead overseer assigned from one of the European Supervisory Authorities (ESAs) [4]. The first designations of CTPPs are anticipated in the second half of 2025 [1], and these providers must establish a subsidiary in the EU to comply with DORA’s requirements.
The second category includes Third-Party Providers (TPPs) that support critical or important functions but are not designated as CTPPs [4]. Financial institutions are required to impose strict contractual obligations on these TPPs to ensure service security and continuity [4], which may include undergoing Threat-Led Penetration Testing (TLPT) and audits by competent authorities under DORA [4]. The third category encompasses TPPs that do not support critical or important functions [4], facing less stringent contractual obligations [4], although financial entities must still ensure these TPPs adhere to certain obligations [4], emphasizing a general obligation of cooperation [4]. The requirements of the NIS2 Directive for Digital Infrastructure and ICT Service Management sectors serve as the primary obligations for these TPPs [4], which financial entities must enforce contractually [4].
DORA mandates that financial institutions enhance their ICT and security risk management frameworks to address the growing threats posed by cyber attacks and ICT risks. Institutions are required to streamline incident response, conduct resilience testing [1] [9], and oversee third-party relationships [7], particularly those involving providers outside the EU. The regulation emphasizes that operational resilience must extend to the supply chain [3], establishing clear requirements for outsourcing arrangements [3], proactive risk management [2] [3] [7] [8] [9], contract governance [3], and oversight of third-party ICT providers [3].
The definition of “ICT services” is broad [3], encompassing cloud computing [3], data storage [3], cybersecurity [1] [2] [3] [4] [5] [7] [8] [9] [10], and IT support [3], and applies even if a supplier does not have direct access to the financial entity’s ICT systems [3]. Enhanced requirements are imposed on ICT services supporting critical functions [3], necessitating detailed due diligence and monitoring to prevent disruptions that could affect operational stability [3].
DORA requires a robust governance and risk management structure [2], mandating institutions to implement strategies for identifying [2], assessing [2] [6], controlling [2], and monitoring ICT risks [2]. This includes monitoring the adoption of technical standards regarding the subcontracting of ICT services [6], conducting regular threat-led penetration testing to proactively identify and address vulnerabilities [2], and establishing swift incident response protocols for technological challenges [9]. Institutions must also establish procedures for detecting anomalies and activating incident response processes promptly to minimize disruption risks [2].
A 2024 EY survey indicated that 82% of European banking chief risk officers viewed cybersecurity as the most significant risk for their businesses [8], underscoring the importance of maintaining robust technology inventories [8], regular patching [8], hardening systems [8], monitoring [1] [2] [3] [5] [6] [8] [9], and having recovery mechanisms in place [8]. However, many financial service providers [10], particularly midsize companies, are lagging in compliance, with an average of only 45% adherence to the new regulations. Factors contributing to this slow progress include the late release of technical standards and unclear regulations regarding third-party risk management [10].
DORA places a strong emphasis on incident management and third-party risk, requiring institutions to analyze and address the root causes of incidents and report them to supervisory authorities [2]. It holds external ICT providers to the same standards as financial institutions [2], thereby reducing the risk of cascading failures [2]. Institutions are also encouraged to collaborate across internal departments to ensure effective compliance implementation and adequate staffing for ongoing obligations [6].
Collaboration is essential for DORA’s success [2], promoting the sharing of cyber threat intelligence among financial institutions and supervisory authorities [2]. This collective effort enhances overall sector preparedness and resilience. Institutions must also prepare for engagement with national competent authorities (NCAs), who will supervise and enforce DORA [6], while keeping track of the European Supervisory Authorities’ designation of third-party providers as “critical” and assessing the implications for their use of such providers [6].
DORA sets a global benchmark for operational resilience in financial services [8], significantly impacting financial institutions beyond the EU [8], including those in North America and the Asia-Pacific regions [8]. Companies operating in or connected to the EU will need to align their local regulatory requirements with DORA compliance to remain competitive and ensure interoperability with EU clients. Non-compliance with DORA’s requirements can lead to severe financial penalties [9], including administrative fines up to €5 million or 10% of total annual turnover [1], reaching up to 2% of a company’s global annual turnover or €10 million [8], whichever is higher [8], along with additional fines for ongoing non-compliance [8], suspensions of managerial positions [1], and potential criminal sanctions [1]. By integrating resilience into operational strategies [2], institutions can recover quickly from disruptions while maintaining security [2]. DORA aims to create a secure and resilient financial ecosystem [2], benefiting both individual institutions and the sector as a whole [2]. With DORA fully implemented [2], the financial sector is positioned to better safeguard stability and security against evolving cyber threats [2], with global implications for any ICT service provider working with EU financial institutions [9], regardless of their operational location [9].
Conclusion
DORA represents a significant step forward in enhancing the digital resilience of the financial sector. By imposing stringent requirements on both financial institutions and their ICT service providers, it aims to mitigate the risks associated with cyber threats and outsourcing. The regulation’s global implications necessitate that institutions worldwide align their practices with DORA to ensure compliance and maintain competitiveness. As the financial sector adapts to these new standards, it will be better equipped to safeguard against evolving cyber threats, ultimately contributing to a more secure and resilient financial ecosystem.
References
[1] https://www.jdsupra.com/legalnews/dora-new-eu-cybersecurity-requirements-2113991/
[2] https://www.cybersecurityintelligence.com/blog/a-new-era-of-digital-resilience-for-the-eu-8199.html
[3] https://www.lexology.com/library/detail.aspx?g=1d5ae64f-6cf9-4a95-aed1-7410396bbd1b
[4] https://www.dittmar.fi/insight/dora-key-implications-for-ict-service-providers/
[5] https://teamwire.eu/en/blog/dora-digital-operational-resilience-act/
[6] https://natlawreview.com/article/dora-takes-effect-key-next-steps-firms
[7] https://businessplus.ie/news/new-cyber-attack-laws/
[8] https://www.siliconrepublic.com/enterprise/eu-dora-finance-cybersecurity
[9] https://www.techuk.org/resource/dora-takes-effect-the-eu-s-new-digital-resilience-requirements.html
[10] https://www.csoonline.com/article/3805126/dora-implementation-keeps-bank-cisos-on-their-toes.html
