The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. DORA establishes technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by January 17, 2025. DORA has two main objectives: to comprehensively address ICT risk management in the financial services sector and to harmonize the ICT risk management regulations that already exist in individual EU member states. Before DORA, risk management regulations for financial institutions in the EU primarily focused on ensuring that firms had enough capital to cover operational risks. While some EU regulators released guidelines on ICT and security risk management, these guidelines didn't apply to all financial entities equally, and they often relied on general principles rather than specific technical standards. With DORA, the EU aims to establish a universal framework for managing and mitigating ICT risk in the financial sector. By harmonizing risk management rules across the EU, DORA seeks to remove the gaps, overlaps, and conflicts that could arise between disparate regulations in different EU states. A shared set of rules can make it easier for financial entities to comply while improving the entire EU financial system's resilience by ensuring that every institution is held to the same standard. DORA applies to all financial institutions in the EU, including traditional financial entities, like banks, investment firms, and credit institutions, and non-traditional entities, like crypto-asset service providers and crowdfunding platforms. Notably, DORA also applies to some entities typically excluded from financial regulations. For example, third-party service providers that supply financial firms with ICT systems and services—like cloud service providers and data centers—must follow DORA requirements. DORA also covers firms that provide critical third-party information services, like crediting rating services and data analytics providers. DORA was first proposed by the European Commission in September 2020. It's part of a larger digital financial package that also includes initiatives for regulating crypto-assets and enhancing the EU's overall digital finance strategy. The Council of the European Union and the European Parliament formally adopted the DORA in November 2022. Financial entities and third-party ICT service providers have until January 17, 2025 to comply with DORA before enforcement starts. Once the standards are finalised and the January 2025 deadline has arrived, enforcement will fall to designated regulators in each EU member state, known as "competent authorities." The competent authorities can request that financial entities take specific security measures and remediate vulnerabilities. They'll also be able to impose administrative — and, in some cases, criminal — penalties on entities that fail to comply. Each member state will decide on its own penalties. DORA establishes technical requirements for financial entities and ICT providers across four domains: ICT risk management and governance, incident response and reporting, resilience testing, and third-party risk management. Information sharing is encouraged but not required. Requirements will be enforced proportionately, meaning smaller entities will not be held to the same standards as major financial institutions. While the regulatory technical standards (RTS) and implementing technical standards (ITS) for each domain are still under development, the existing DORA legislation offers some insight into the general requirements.
#dora #operationalresilience #surety #regulation #compliance Sources [1] What is the Digital Operational Resilience Act (DORA)? - IBM https://www.ibm.com/topics/digital-operational-resilience-act [2] Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554 https://www.digital-operational-resilience-act.com [3] Digital finance: Council adopts Digital Operational Resilience Act - Consilium.europa.eu https://www.consilium.europa.eu/en/press/press-releases/2022/11/28/digital-finance-council-adopts-digital-operational-resilience-act/ [4] Achieving DORA Compliance with Qualys: A Comprehensive Approach https://blog.qualys.com/product-tech/2023/10/05/achieving-dora-compliance-with-qualys-a-comprehensive-approach [5] The EU's Digital Operational Resilience Act for financial services | Deloitte Czech Republic https://www2.deloitte.com/cz/en/pages/risk/solutions/eu-dora-digital-operational-resilience-act-for-financial-services.html [6] DORA: A harmonized framework to strengthen the digital operational resilience of the EU financial sector | DLA Piper https://www.dlapiper.com/en-us/insights/publications/2023/01/dora-a-harmonized-framework-to-strengthen-the-digital-operational-resilience