Understanding DORA: An Overview of the Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) is an EU regulatory framework, aimed at enhancing the financial sector’s ability to withstand and recover from ICT (information and communication technology) disruptions.
DORA seeks to harmonize operational resilience standards across the EU to better manage risk and safeguard the financial system’s stability.
Scope and Applicability
DORA’s wide scope encompasses a variety of financial entities, including:
- Credit institutions
- Payment service providers
- Investment firms
- Insurance companies
- Other financial intermediaries
Beyond financial institutions, DORA also applies to third-party ICT providers, including cloud service providers, data analytics firms, and IoT technology providers, whose services are critical to financial infrastructure. Importantly, DORA has an extraterritorial reach, meaning that even non-EU ICT providers are subject to DORA if their services are critical to the operation of EU-based financial institutions or products. This extraterritoriality impacts entities located outside the EU that maintain business relationships with EU financial entities. Any Israeli company which is a third-party providing integral services to the operation of financial products, such as banking systems or insurance services, could fall under DORA’s purview.
Key Requirements
To ensure compliance with DORA, institutions and their ICT providers must meet several core requirements:
- ICT Risk Management: Financial entities need to develop and maintain robust ICT risk management frameworks. This includes creating systems to detect, mitigate, and recover from ICT-related incidents, as well as conducting regular risk assessments.
- Incident Reporting: Institutions are required to report ICT incidents that significantly impact services to regulators within specific timeframes. This ensures transparency and helps regulators monitor systemic risks.
- Digital Operational Resilience Testing: Regular testing of resilience frameworks, including scenario-based tests, penetration tests, and disaster recovery drills, is mandatory. For larger institutions, external validation of systems is encouraged.
- Third-Party Risk Management: Financial institutions must ensure that contracts with ICT providers include provisions for monitoring resilience, incident reporting, and exit strategies, maintaining oversight even when services are outsourced.
- Information Sharing: DORA encourages institutions to share information on ICT threats and vulnerabilities, promoting collective resilience in the financial sector.
Timeline
DORA was adopted on November 28, 2022, and will become fully applicable on January 17, 2025. This transition period provides financial entities and their ICT providers time to implement the necessary measures to comply with the new regulatory standards.
What Companies Should Do Now?
As the 2025 deadline approaches, companies should take the following actions to ensure they are prepared:
- Assess Gaps in Compliance: Conduct a review of current ICT risk management and operational resilience practices to identify gaps between existing measures and DORA’s requirements.
- Strengthen Risk Management: Enhance internal risk management frameworks by implementing measures such as regular risk assessments, encryption, and secure coding practices.
- Establish Incident Reporting Mechanisms: Set up clear procedures for reporting ICT incidents in accordance with DORA’s requirements, ensuring timely communication with regulators.
- Prepare for Resilience Testing: Begin planning and conducting operational resilience tests, including penetration and scenario-based testing.
- Review Contracts with Third-Party Providers: Ensure contracts with ICT providers include resilience monitoring, incident reporting, and termination clauses to protect continuity of service.
Conclusion
As we approach DORA’s 2025 applicability date, it is crucial for financial entities and their ICT providers to take proactive steps now to meet the new compliance requirements. Aligning with DORA’s framework will not only ensure compliance, but also enhance your institution’s overall resilience in an increasingly digital financial environment.
If you have any questions or need assistance in preparing for DORA compliance, please do not hesitate to reach out to our Privacy and Data Protection team.