Resilience in the financial sector - DORA

DORA is a European Union (EU) regulation that aims to create a binding, comprehensive framework for risk management and information and communication technology (ICT) resilience for the EU financial sector. DORA was published on 16 January 2023 and has an implementation period of two years.

Who is affected by DORA?

DORA will apply to more than 20,000 financial organisations that must comply with specified standards to prevent and limit the impact of ICT-related risks. The regulation must be implemented by 17 January 2025.

Affected companies are financial institutions and ICT third-party service providers operating in the European Union:

• Banks
• Credit and payment institutions
• Insurance companies
• Securities exchanges
• Trading platforms and
• Providers of digital services

What is the aim of DORA?

DORA aims to increase the resilience of the financial sector to cyber threats and business disruptions and aims to create a comprehensive and overarching framework for digital operational resilience with rules for all regulated financial institutions.

It primarily addresses risks in the area of ICT systems and operations, cybersecurity, business interruption, IT incidents and risks of critical third-party service providers.

What does DORA require in terms of content?
Regarding DORA itself: the requirements of DORA are divided into chapters (pillars), and these in turn are divided into articles.
This facilitates the internal assignment and naming of an internal workstream with the implementation steps:

• GAP assessment and readiness audit (conducting the necessary GAP analyses and ownership for implementation)
• Development of an implementation plan (measures, milestones and prioritisation)
• Improvement of policies and procedures (harmonisation with DORA)
• Training and awareness
• Monitoring (regular assessment of the effectiveness of measures, monitoring) and continuous improvement

Pillars/chapter overview

An overview of the pillars/chapters resulting from DORA:

DORA Level 2 Regulatory Technical Standards (L2 RTS)

The first batch of L2 RTS was published on 17 January 2023.

This includes:

• ICT risk management framework (Art. 15, 16): Risk management tools, methods, processes and strategies, proportionality and risk-based approach, flexibility in implementation, reporting on the risk management framework, vulnerability reporting and risk management framework in numerous functions.
• Incidents related to ICT (Art. 18.3): Classification of ICT incidents with criteria such as reputational impact, duration, service outage and transactions affected
• Third party ICT services (Art. 28.9, 28.10): Details on the content of policies relating to contractual arrangements and the types of information to be included in the TPPs’ ICT services information register

The second batch of the L2 RTS was published on 10 December 2023 and is open for consultation until 4 March 2024.

Other relevant laws and guidelines

In the current context of relevant laws and guidelines for information security, we would also like to refer you to the CIS article “Significant legal advances for cyber security in 2024“, which provides an overview of relevant regulations such as the NIS 2 (Network and Information Security Directive 2), the Cyber Resilience Act (CRA), the Articifical Intelligence (AI) Act, TISAX (Trusted Information Security Assessment Exchange) and DORA (Digital Operational Resilience Act).