The Digital Operational Resilience Act is a regulation
which aims to strengthen the resilience
the financial sector's digital operations within
of the European Union, establishing a framework
uniform approach to risk management
Information and Communication Technologies
(ICT).
It will be directly applicable in all Member States
members of the EU from 17 January 2025, without
require national transposition.
Faced with the growing dangers posed by the digitalisation of the
financial sector, the European Commission has launched
the DORA initiative in September 2020. This is part of a
global strategy to strengthen digital finance
in Europe, responding to the growing vulnerability of
digital systems.
DORA is a "lex specialis" which specifies, completes and
premium over NIS 2 for the financial sector for the management of
information technology risks. It must
come into force in January 2025.
| THE PILLARS | WHAT IMPACT WILL THIS HAVE ON THE PLAYERS INVOLVED? |
|---|---|
| Risk management ICT | DORA requires entities to establish a robust ICT risk management framework, encompassing asset identification, threat protection, risk management incident detection and response processes. Companies must demonstrate their mastery of digital risks and have strategies in place to management. |
| Resilience tests operational digital | DORA makes regular resilience testing compulsory including vulnerability analyses, analysis of the impact of the penetration tests, crisis simulations and recovery tests. These assessments are intended to confirm the ability of entities to continue their critical activities during major disruptions. |
| Incident management and reporting | DORA calls for improved incident management with procedures for detection and classification according to severity. The entities must rapidly report major incidents to the authorities and share information with information on threats with other players, thereby promoting a more effective improved sector responsiveness. |
| Risk management third parties and suppliers ICT services | In the face of dependence on ICT providers and cloud services, DORA is establishing a strict management of third-party risks. This includes prior assessment detailed safety contracts, continuous surveillance performance and exit strategies for critical suppliers. |
"Inspired by the management principles of the ISO 27001 standard and complementing the NIS 2 directive, the DORA regulation focuses on the operational resilience of the entire financial sector in the face of digital disruption, particularly in the event of a cyber crisis. It emphasises the importance of organisations developing a proactive capacity to anticipate, respond and adapt, in order to ensure business continuity."
DORA applies to 21 types of entity
financial institutions such as
credit institutions, investment firms and insurers,
fund managers and investment
crypto-assets.
The regulations also extend to
critical third-party suppliers of ICT services to
these entities, such as service providers
cloud and cybersecurity platforms
data analysis or even
infrastructure and network providers
reviews.