DORA
DORA (Digital Operational Resilience Act) is a European Union regulation establishing uniform requirements for digital operational resilience in the financial sector. The regulation imposes obligations regarding ICT risk management, incident reporting, and resilience testing.
What is DORA?
DORA Definition
DORA (Digital Operational Resilience Act) is Regulation (EU) 2022/2554 of the European Parliament and of the Council, establishing uniform requirements for digital operational resilience for financial sector entities. The regulation entered into force on January 16, 2023, with full application from January 17, 2025.
Purpose of DORA
DORA aims to:
- Harmonize ICT security requirements across the EU
- Strengthen financial sector resilience against cyber threats
- Unify approaches to ICT risk management
- Increase oversight of ICT service providers
- Improve ICT-related incident reporting
Who Does DORA Apply To?
Financial Entities
- Banks and credit institutions
- Investment firms
- Payment institutions
- Insurance companies
- Investment funds
- Exchanges and clearing houses
- Rating agencies
- Fintech and crypto-asset service providers
ICT Service Providers
- Cloud computing providers
- Data centers
- Software companies
- Managed Security Service Providers (MSSP)
Main Pillars of DORA
1. ICT Risk Management
- Comprehensive ICT risk management strategy and policy
- Identify, protect, detect, respond, and recover
- Management body responsibility for ICT security
- Regular reviews and updates
2. ICT Incident Reporting
- Incident classification according to DORA criteria
- Obligation to report major incidents to supervisory authorities
- Reporting deadlines: initial (24h), intermediate (72h), final (1 month)
- EU central reporting platform
3. Digital Resilience Testing
- Regular ICT security testing
- Threat-Led Penetration Testing (TLPT) for significant entities
- Scenario testing and crisis exercises
- Independent validation of results
4. Third-Party Risk Management
- ICT provider due diligence
- DORA-compliant contractual clauses
- Provider monitoring and auditing
- Exit strategies and contingency plans
5. Threat Information Sharing
- Cyber threat information sharing mechanisms
- Collaboration between financial entities
- Participation in sectoral initiatives (ISAC)
Key DORA Requirements
For Management Bodies
- Direct responsibility for ICT risk management
- Approval of security policies and strategies
- Regular training and knowledge updates
- Oversight of resilience program implementation
For Organizations
- Dedicated ICT risk management function
- Process and procedure documentation
- Business continuity testing (BCP/DR)
- ICT asset and supplier inventory
For ICT Providers
- Meeting security requirements
- Client audit rights
- Incident reporting
- Continuity plans and exit strategy
Threat-Led Penetration Testing (TLPT)
DORA introduces TLPT requirements for significant entities:
- Tests based on realistic threat scenarios
- Conducted by certified testers
- TIBER-EU framework as standard
- Frequency: at least once every 3 years
- Scope: critical functions and systems
Sanctions for Non-Compliance
Member States determine sanctions, which may include:
- Administrative penalties
- Public warnings
- Orders to cease practices
- License revocation
Implementation Timeline
| Date | Event |
|---|---|
| 16.01.2023 | DORA entry into force |
| 17.01.2024 | RTS and ITS (delegated acts) |
| 17.01.2025 | Full DORA application |
| 17.01.2025 | First TLPT deadline |
How to Prepare for DORA?
Step 1: Gap Analysis
- Compare current practices with DORA requirements
- Identify areas requiring improvement
- Prioritize actions
Step 2: Update Risk Management Framework
- Review ICT policies and procedures
- Adjust organizational structure
- Strengthen supplier management
Step 3: Testing Program
- Implement regular security testing
- Prepare for TLPT
- Document results and remediation actions
Step 4: Incident Reporting
- Classification and reporting processes
- Integration with monitoring systems
- Team training
DORA and Other Regulations
DORA complements and is consistent with:
- NIS2 - Network and Information Security Directive
- GDPR - personal data protection
- PSD2 - payment services
- MiCA - Markets in Crypto-Assets
DORA is a groundbreaking regulation that raises the bar for cybersecurity in the EU financial sector, requiring a comprehensive approach to digital resilience.