Digital Operational Resilience Act (DORA)

The number of cyber risks is increasing, while financial companies are becoming even more dependent on digital technologies. As a result, the European Union adopted the EU DORA regulation at the end of 2022. It harmonizes the security and resilience practices of financial companies in the EU.

This article explains what DORA means and who the regulation affects. You’ll also find an overview of how businesses are implementing the regulations to maintain continued operations and provide network security for their information systems in the event of serious incidents.

DORA stands for Digital Operational Resilience Act, which means it deals with digital operational resilience. This is a financial sector-wide regulation at EU level. With this regulation, the EU is creating uniform rules on how financial markets – including banks and insurance companies – address the issue of cybersecurity and minimize ICT (information and communication technology) risks. By doing so DORA tightens the regulations regarding the use of ICT systems.

DORA’s guidelines are primarily preventive in nature. The EU wants to prepare businesses for increased cyber risks on the financial market. When incidents occur, the DORA regulations are intended to enable financial companies to respond better and, more effectively.

With the ongoing advances in digitalization, risks have grown in recent years, often arising from the ICT systems or technologies in use. Financial companies frequently depend on these technologies, which are often sourced from third-party ICT service providers. For this reason, DORA establishes binding requirements for businesses in financial markets with regard to their ICT strategies and cooperation with ICT companies and ICT service providers. 

Developing strategies in ICT risk management

With DORA, the EU is calling on banks, insurance companies and other organizations in the financial sector to develop strategies for digital resilience. The strategies serve as a framework and are based on the requirements of international standards for ICT risk management. In ICT risk management, financial companies set clear objectives for information security.

Report serious ICT-related incidents

Financial companies are required to classify and report ICT incidents. As part of the ICT risk management framework, DORA provides communication plans for financial companies. These plans must be activated as needed, especially in the case of serious ICT-related incidents

Testing and replacing risks

At the same time, the EU requires certain financial companies to conduct regular and independent tests for ICT incidents related to cybersecurity. Specifically, these are digital operational resilience tests.
The testing is used by financial companies and regulators for monitoring purposes. Source code tests, performance tests or threat-led penetration tests show whether the aim of digital operational resilience has been achieved. They are an integral part of risk management.
To reduce ICT risks in general, DORA also regulates how businesses can voluntarily exchange information on ICT risks within trusted financial communities.

Collaborate with third-party ICT providers

When financial companies work with third-party ICT providers, DORA’s measures also apply to those providers. Companies must keep detailed records of their contractual relationships and develop plans for potential contract termination. The focus is on the strategies both financial companies and their ICT partners use to prevent and manage risks. In short, DORA establishes standards for how financial institutions work with third-party ICT services. 

DORA affects businesses across Europe that work in the financial sector or provide ICT services to companies in the European financial sector. In Germany, the DORA legislation applies to all financial companies regulated by the Federal Financial Supervisory Authority (BaFin), including:

• Banks
• Insurance and reinsurance companies
• Traditional payment service providers
• Crypto service providers
• E-money institutions
• Credit institutions
• Trading centers
• Providers of other financial services
• Account information service provider
• Investment firms
• Investment funds and their management

The importance of DORA is particularly relevant for ICT service providers. ICT companies now have to implement DORA legislation in their processes, regardless of whether or not they are headquartered in the EU. If they work with financial companies in the EU, then DORA requirements also apply to them.

Also, the legislation creates a new supervisory framework for ICT service providers. This includes supervision of critical ICT service providers by European supervisory authorities. This represents a major step toward harmonizing regulatory requirements at EU level.

Hey Doxi, when does DORA need to be implemented?

Behind DORA is the European Commission’s idea of creating digital operational resilience in the financial sector. These four main problems express the core idea behind DORA:

1. Increase in serious cyber incidents in financial companies: DORA strengthens digital resilience and cybersecurity in the financial sector.
2. Regulatory fragmentation in dealing with cybersecurity issues in the EU: DORA harmonizes and standardizes requirements for digital operability and cybersecurity at EU level.
3. Serious business interruptions due to cyberattacks: DORA sets standards so that businesses are better prepared for cyber risks and can respond to them effectively.
4. Maintaining trust in the financial sector: DORA helps to ensure that consumers and investors continue to view the financial sector as trustworthy and secure.

Since the DORA Regulation came into force, regulators have been developing draft regulatory technical standards (RTS) and implementation standards (ITS).

On January 17, 2024, the final drafts of the technical regulatory and implementation standards for DORA were published, and they were adopted by the European Commission on March 13, 2024. They are currently in a three-month testing phase.

Since DORA is an EU regulation, it's also directly applicable in national law. As part of the digitalization of financial markets, the Federal Ministry of Finance has presented a government draft. A Financial Market Digitalization Act (FinmadiG) is planned, which brings together several laws, including the DORA package.

The government, the supervisory authority BaFin and players in the financial sector must comply with the DORA regulatory framework by January 17, 2025. As an IT service provider, we are of course also preparing for DORA. What’s more, an enterprise content management platform like Doxis  can make a significant contribution to meeting the requirements of DORA by supporting the management, security and continuity of information and processes in financial institutions.

FAQs about DORA