The Digital Operational Resilience Act (DORA) is a regulation that aims to strengthen digital resilience within the European Union, by establishing a uniform framework for managing IT-related risks. Although initially focused on the financial sector, DORA also has implications for other critical sectors such as energy and telecommunications, imposing strict standards for cybersecurity.
What is DORA (Digital Operational Resilience Act)?
Origin and objectives of the regulations
In the context of DORA, "DOR" stands for "digital operational resilience", which refers to an organisation's ability to maintain and restore its essential digital operations in the face of disruption, cyber-attack or technological failure, thereby ensuring the continuity and security of its services.
Its aim is to ensure that all players in the financial system have the insurance they need to reduce cyber-attacks and other information and communication technology (ICT) risks, maintain critical functions in the event of serious disruption, and foster confidence in their ability to cope with operational shocks.
Scope and entities concerned
Although DORA was originally designed for the financial sector, its scope of application is vast. It covers a wide range of financial entities, including :
- Credit institutions
- Investment firms
- Payment service providers
- Insurance and reinsurance companies
- Alternative investment fund managers
- Crypto-asset service providers
In addition, DORA also applies to critical third-party suppliers of ICT services to these financial entities, recognising the importance of the supply chain to overall operational resilience.
Implementation schedule
The timetable for implementing DORA is progressive, allowing the entities concerned to adapt to the new requirements:
- December 2022: Final adoption of DORA by the European Parliament
- January 2023: DORA comes into force
- January 2025: Planned date for effective application of DORA
The two-year period between entry into force and effective application is intended to give companies the time they need to comply with the new requirements.
The main pillars of DORA
DORA is based on four fundamental pillars designed to strengthen the digital operational resilience of the entities concerned:
ICT risk management
DORA requires entities to put in place a robust ICT risk management framework. This includes:
- Identifying and classifying information assets
- Protection and prevention against potential threats
- Detecting anomalies and security incidents, which requires an SOC to be in place
- Setting up response and recovery processes
Companies will need to demonstrate that they have a thorough understanding of their digital risks and that they have effective strategies in place to manage them.
Digital operational resilience testing
DORA introduces a requirement for regular digital operational resilience testing. These tests may include:
- Vulnerability analyses
- Penetration tests
- Crisis simulation exercises
- Disaster recovery tests
The aim is to verify the ability of the entities to maintain their critical operations in the face of major disruptions.
Incident management and reporting
Another aspect of DORA is the improvement of incident management and reporting processes. Entities will have to :
- Implement procedures for detecting and managing ICT-related incidents
- Classify incidents according to their seriousness
- Report major incidents to the appropriate authorities within strict deadlines
- Share information on threats and vulnerabilities with other players in the sector
This approach aims to improve responsiveness to incidents and encourage the sharing of information within the sector.
The authorities responsible for receiving notifications of major incidents are the European Supervisory Authorities (ESAs):
- The European Banking Authority (EBA)
- The European Securities and Markets Authority (ESMA)
- The European Insurance and Occupational Pensions Authority (EIOPA)
Managing the risks associated with third parties and ICT service providers
Recognising the increasing reliance on cloud service providers and other ICT providers, DORA also imposes strict requirements for managing third-party risks. These include:
- Rigorous risk assessment before committing to a supplier
- The establishment of detailed contracts covering security and resilience aspects
- Continuous monitoring of supplier performance and compliance
- Planning exit strategies in the event of failure of a critical supplier
Implications of DORA for businesses
New governance and risk management requirements
DORA imposes significant new requirements in terms of governance and risk management:
- Increased responsibility of the Board of Directors and management in overseeing ICT risks
- The need for documented policies and procedures for digital risk management
- Obligation to carry out regular risk assessments and update risk management strategies
Companies will need to integrate digital operational resilience into their overall strategy and corporate culture.
The need to strengthen cyber security capabilities
To comply with DORA, many companies will need to significantly strengthen their cybersecurity capabilities:
- Investment in cutting-edge technologies for threat detection and prevention
- Ongoing staff training on cyber security issues
- Setting up teams dedicated to incident management and crisis response. This can be done through an SOC or an outsourced CERT.
- Developing in-house skills in digital risk analysis
Impact on relations with cloud service providers
DORA will have a significant impact on the way businesses manage their relationships with cloud service providers and other ICT suppliers:
- The need to carry out more in-depth evaluations of suppliers before making a commitment
- Requirement for more detailed contracts covering security, resilience and compliance aspects
- Obligation to set up continuous supplier monitoring processes
- Need to develop robust exit strategies for critical services
Companies will need to adopt a more proactive and rigorous approach to managing their ICT service providers, ensuring that they meet the high standards imposed by DORA.
DORA therefore represents a significant change in the way European businesses, particularly in the financial sector, approach digital operational resilience. DORA also offers an opportunity to strengthen cybersecurity, improve customer confidence and contribute to the creation of a more resilient digital ecosystem in Europe.
With its solid experience in compliance projects and certified consultants, Cloud Temple can help you achieve DORA compliance. Contact our teams