Digital Operational Resilience Act (DORA) for financial services

In today’s digital era we can no longer imagine a world without information- and communication technology (ICT). Be it in everyday life or in a business environment, ICT is ubiquitous. Exchange of information, trade transactions, business activities… all facilitated by ICT. It is safe to say that ICT has become a key pillar of our economy and an indispensable factor in various key sectors, including financial services.

The digital transformation within the financial sector in recent years brings an unprecedented use of and reliance on ICT services. From various software solutions to data-related services, the digital opportunities for financial entities these days are numerous. This digitization, however, results in a European financial ecosystem that is becoming increasingly and intrinsically co-dependent on different ICT services provided by third-party ICT service suppliers. A deepened interconnectivity and dependency between the financial players, third-party infrastructure, and service providers eventually also means an increased vulnerability to ICT and operational disruptions, data loss, or cyber threats in the financial system. Therefore, mitigating the risk of ICT dependency and incorporating a solid digital resilience into the operational framework is today all the more important. A disruption in financial services could not only affect other businesses in other sectors but ultimately the entire economy.

This is where the Digital Operational Resilience Act (DORA) comes into play.

Scope of the Digital Operational Resilience Act (DORA)

DORA is a set of uniform requirements concerning the security of networks and information systems that support the business processes of financial entities. The ultimate goal is to achieve a high common level of digital operational resilience.

The requirements apply to:

1. Financial entities in relation to Information and Communication Technology (ICT) Risk Management: A set of principles and requirements is needed to set up a reliable ICT risk management framework. Financial entities should follow the same approach and same principle-based rules when addressing ICT risk. Harmonization of key digital operational resilience requirements is required.

2. ICT-related Incident Management, Classification, and Reporting: Not only a strong ICT risk management, but also specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents need to be in place in order to maintain control over ICT risk.

3. Digital Operational Resilience Testing: Policies should be in place for testing ICT systems, controls, and processes.

4. Measures for the sound management of ICT third-party risk: A set of principle-based rules in order to ensure a sound monitoring of ICT third-party risk.

5. Information and intelligence sharing in relation to cyber threats and vulnerabilities: Cyber threat information and intelligence can be exchanged between financial entities : 

• contracts between financial entities and ICT third party service providers
• rules for establishing and conducting an oversight framework for critical third party service providers
• rules on co-operation, supervision and enforcement by competent authorities in relation to all matters covered by the regulation

DORA applies to following entities: