What is DORA?
The Digital Operational Resilience Act (DORA), adopted by the EU in November 2022 and effective from January 2023, aims to strengthen the IT security and operational resilience of financial institutions, including banks, insurance companies, and investment firms, across the European financial sector. DORA establishes a comprehensive framework for managing and mitigating ICT risks, overseeing third-party ICT service providers, conducting digital operational resilience testing, handling ICT-related incidents, and facilitating information sharing regarding cyber threats.
Additionally, it ensures robust regulatory oversight of critical third-party service providers, further bolstering the financial sector’s ability to withstand and recover from significant operational disruptions.
Key objectives of DORA
⇢ Strengthen cybersecurity in the financial sector
DORA aims to safeguard financial entities from cyber-attacks and technological disruptions by enhancing their digital operational resilience, ensuring they can effectively manage ICT risks and continue delivering services securely.
⇢ Mitigate cross-border ICT risk impacts
By establishing a unified framework for managing ICT risks, DORA seeks to minimize disruptions that could spread across borders, protecting interconnected financial services and preventing cascading effects on other industries and the broader economy.
⇢ Ensure resilience of third-party ICT providers
DORA emphasizes the importance of monitoring and managing risks related to third-party technology providers, ensuring that critical service dependencies do not compromise the resilience of financial institutions.
Who does DORA affect?
The Digital Operational Resilience Act (DORA) applies to a wide range of financial entities in the European Union (EU) as well as certain critical ICT third-party service providers:
- Financial Entities: This includes banks, insurance companies, investment firms, payment and e-money institutions, credit rating agencies, crypto-asset service providers (CASPs), and other financial institutions.
- ICT third-party service providers: These are service providers designated as "critical" to the operations of financial entities, including cloud service providers, cybersecurity firms, and data management companies.
DORA impacts key institutions across the financial sector, including banks, insurance providers, and multinational financial service firms. Key stakeholders such as compliance officers and risk managers must be prepared to implement these changes to ensure resilience and regulatory compliance.
Key challenges of DORA compliance
⇢ Complex ICT risk management requirements
DORA’s comprehensive framework for managing ICT risks include enhancing cybersecurity measures, establishing detailed incident reporting processes, and conducting frequent resilience testing.
⇢ Oversight of ICT third-party service providers
DORA requires financial institutions to monitor ICT third-party providers rigorously. According to the European Supervisory Authorities (ESAs), 15,000 ICT providers support EU financial entities, with many classified as critical and irreplaceable. This concentration heightens operational risk, making compliance with DORA's resilience standards essential to mitigating potential disruptions.
⇢ Coordinating compliance efforts across borders
DORA is an EU-wide regulation, and so for organizations operating in multiple jurisdictions, coordinating compliance across borders will be particularly challenging.
How Wolters Kluwer OneSumX can help
With DORA enforcement looming, compliance is critical. By Q1 2025, financial entities must report to EBA using updated templates. Ensure both you and your vendors are fully compliant. Reach out to us for further information.