Request demo

What is DORA: Compliance with the Digital Operational Resiliency Act

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) offers a solution to a pivotal problem in the EU financial regulation. 

DORA aims to standardize regulations concerning operational resilience within the financial sector, encompassing 21 diverse financial entities. It addresses key areas such as ICT risk management, incident management and reporting, testing the operational resilience of ICT systems, and the oversight of ICT third-party risks.

 

Contents

When will DORA be applicable?
To whom does DORA apply?
Main features of the DORA regulation
NIS2 Directive and DORA
Legal basis of DORA

 

 

When will DORA be applicable?

DORA will be applied from 17 January 2025. At the moment the final drafts are being formulated.

 

To whom does DORA apply?

DORA applies to every financial entity functioning within the jurisdiction overseen by regulatory authorities. This encompasses banks, insurance companies, investment firms, payment service providers, and other entities engaged in financial services. 

All financial entities are obligated to adhere to the stipulations of DORA and meet the regulatory standards to guarantee operational resilience.

Before the implementation of the regulation, financial institutions primarily addressed major operational risk categories through capital allocation, yet not all facets of operational resilience were actively managed.

With the advent of DORA, these institutions are now obligated to adhere to guidelines encompassing the safeguarding, detection, containment, recovery, and repair capabilities in response to ICT-related threats and incidents.

 

Key provisions of the DORA regulation

The Digital Operational Resilience Act (DORA) centers around five components designed to formalize the requirements for financial entities.

 

ICT risk management

DORA underscores the necessity for a robust risk management framework. All companies are required to take full responsibility for managing digital risks through the implementation of a governance and control structure. 

This framework must create a strategy based on risk tolerance, addressing the identification and prevention of risks, while demonstrating the capability to respond to disruptions.

 

Digital operation resilience testing

Companies are instructed to conduct comprehensive scenario testing of security and resilience. Major firms are specifically required to have an independent tester perform advanced large-scale security tests every three years on critical functions and ICT providers.


Management of third-party supply chain

DORA highlights the importance of supply chain management. Financial entities are obligated to assess the resilience of their third-party ICT service providers and ensure compliance with DORA requirements.

To mitigate the risk of systemic economic disruption, companies must monitor technology providers' risk throughout the relationship, employing efficient third-party risk management practices.

 

Reporting

DORA advocates for sharing incident data and information about threats among financial entities and their third-party ICT service providers to enhance resilience. It mandates companies to use a standardized methodology for incident reporting and classification, incorporating criteria to determine the duration, impact, and criticality of affected services. 

Significant incidents must be reported to regulators, fostering a collaborative approach that strengthens the sector's ability to detect, prevent, and respond to operational disruptions.

 

Sharing information

The guidelines encourage collaboration among financial entities to raise awareness of ICT risks, curb the spread of cybercrime, and support mitigation strategies. By identifying root causes companies can proactively implement measures to prevent similar incidents.

 

NIS2 Directive and DORA

The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. The Commission Guidelines about the relationship between the NIS2 Directive and the Digital Operational Resilience Act (DORA) have been further clarified.

Article 1(2) of DORA stipulates that, for financial entities falling under the scope of the NIS2 Directive and its corresponding national transposition regulations, DORA is to be regarded as a sector-specific Union legal act.

As a consequence, the provisions of DORA on information and communication technology (ICT) risk management, handling of ICT-related incidents, digital operational resilience testing, information-sharing arrangements, and ICT third-party risk are to be applied instead of those outlined in the NIS2 Directive.

NIS2 directive guide

 

Legal basis of DORA

The objective of DORA is to eliminate barriers and enhance the establishment and operation of the internal market for financial services by standardizing rules related to ICT risk management, reporting, testing, and ICT third-party risk.

Existing disparities in this domain, evident in legislative and supervisory variations at both national and EU levels, pose hindrances to the single market in financial services. Financial entities engaged in cross-border activities encounter diverse, and sometimes conflicting, regulatory requirements and supervisory expectations, potentially impeding their freedom of establishment and provision of services.

Furthermore, differing regulations create distortions in competition among similar financial entities. The absence, partiality, or limitation of harmonization in certain areas leads to the development of disparate national rules or approaches. 

These variations, whether already enforced or in the process of adoption and implementation at the national level, can discourage the exercise of single-market freedoms for financial services. This is particularly evident in the realms of digital operational testing frameworks and the oversight of critical ICT third-party service providers.

 


Track, monitor, record, audit - ensure DORA compliance with SSH Zero Trust Suite 

The DORA regulation clearly outlines the cybersecurity areas that financial institutions need to focus on and improve, ranging from overall risk management to very concrete features such as tracking and reporting on incidents.

We at SSH Communications Security have 30 years of experience in helping financial institutions secure their environments and communications - whether it's between people, data centers, systems, networks, or others.

Our Zero Trust Suite is a modular set of software solutions that can help you comply with the requirements defined in the DORA regulation (as well as other regulations, like the NIS2 Directive).

With SSH Zero Trust Suite, you can:

  • Identify, authorize, restrict, and control your access and connections

  • Prevent risks and mitigate the likelihood of data leaks and breaches

  • Track, monitor, record, and audit all sessions
  • Protect your entire environment, whether it's on-prem, cloud, or hybrid
  • Share, transmit, and store sensitive information securely

 

Learn more about SSH Zero Trust Suite >>>