On January 16, 2023, the Digital Operational Resilience Regulation, “DORA“, came into force. For the first time, provisions addressing digital risk in finance are brought together in a coherent manner and in a single piece of legislation.
What is the Digital Operational Resilience Regulation (DORA)?
The Digital Operational Resilience Regulation solves a major problem in EU financial regulation. Prior to DORA, financial institutions managed the major categories of operational risk primarily with capital allocation, but did not manage all components of operational resilience (the organization’s ability to continue to function in the face of any critical event).
After DORA, entities will also be required to follow rules to improve capabilities for protection, detection, containment, recovery and remediation of ICT-related incidents. DORA explicitly refers to ICT risk and establishes rules on technology-related risk management, incident reporting, operational resilience testing and third-party risk monitoring.
To whom does it apply?
DORA will have a very broad application and will cover all authorized European financial institutions, in total about 20, including ICT service providers.
- Credit institutions.
- Payment entities.
- Account information service providers.
- Electronic money institutions.
- Investment services companies.
- Cryptoasset service providers.
- Central securities depositories.
- Central counterparties.
- Trading centers.
- Operations records.
- Alternative investment fund managers.
- Management companies.
- Data delivery service providers.
- Insurance, reinsurance and complementary insurance companies and intermediaries.
- Employment pension funds.
- Credit rating agencies.
- Crucial benchmark index managers.
- Providers of participative financing services.
- Securitization registers.
Interestingly, Article 58 states that before January 17, 2026, the European Commission must submit a legislative proposal to the European Parliament and the Council, so that the Regulation also applies to statutory auditors and audit firms.
In this regard, and despite its intentionally broad scope, DORA provides some elements of proportionality. In other words, in-scope financial institutions must comply with DORA taking into account their size and overall risk profile, as well as the nature, scale and complexity of their services, activities and operations, among other variables.
When will it be applicable?
Although the Regulation entered into force 20 days after its publication in the Official Journal of the European Union, it will be fully applicable as of January 17, 2025, so financial institutions will have 2 years to comply with it.
Furthermore, it is important to note that DORA is a Regulation, not a Directive, so it is binding in its entirety and directly applicable in all EU Member States.
- ICT risk managementThe company should have a solid, complete and well-documented IT-related risk management framework that enables it to deal with risk quickly, efficiently and comprehensively, with the management body having a major role in defining and approving it. In addition, the members of the aforementioned body shall receive periodic training.
- ICT third party risk management: financial institutions must establish an IT-related third party risk strategy and may only enter into contractual agreements with suppliers that comply with appropriate information security standards. These requirements will be higher if we are dealing with Critical ICT service providers.
- Incident management: entities shall establish a security incident management process to detect, manage and report security incidents and shall have early warning indicators in place.
- Digital operational resilience: a robust and comprehensive digital operational resilience testing program should be implemented, comprising a variety of assessments, tests, methodologies, practices and tools. In addition, threat-driven penetration tests must be performed every three years.
- Information sharing: DORA will enable, but not require, financial institutions to share information and intelligence on cyber threats, including indicators of compromise, tactics, techniques, etc.
- Protection, prevention and detection: financial institutions will continuously monitor the operation of ICT systems and tools in order to minimize the impact of risks through the deployment of appropriate ICT security tools, policies and procedures.
What makes DORA different from the rest of the regulations?
The purpose of this Regulation is, firstly, to consolidate and update the ICT risk requirements that have so far been addressed separately in the various Regulations and Directives. While these EU legal acts covered the main categories of financial risk (inter alia, credit risk, market risk, credit risk and counterparty liquidity risk or market conduct risk), at the time of their adoption they could not comprehensively address all components of operational resilience.