Digital Operational Resilience Act (DORA)
Regulation 2022/2554 on digital operational resilience for the financial sector
Category
Status
EU
Date of application is 17 January 2025.
EEA
Pending. Draft Joint Committee Decision (JCD) under consideration.
Norway
Pending. Public consultation initiated on 23 January 2024 with a deadline for submitting answers 3 April 2024.
Scope
The Digital Operational Resilience Act (DORA) specifically targets enhancing cybersecurity within the financial sector. It encompasses a wide range of financial entities in the EU, including banks, investment firms, and payment service providers. The proposal also introduces a supervisory framework for ICT providers, such as cloud service providers. DORA will be supplemented by several delegated regulations.
Relevance
DORA is highly relevant in addressing the increasing cybersecurity threats faced by the financial sector, given its critical role in the economy and society at large. By imposing stringent cybersecurity measures and promoting proactive risk management practices, DORA aims to enhance the resilience of financial institutions, safeguard customer data, and maintain trust in the stability of the financial system.
In a public consultation initiated on 24 January 2024, the Norwegian Ministry of Finance proposed that DORA is implemented in Norway by way of a new act on digital operational resilience for the financial sector and amendments to several acts and Regulations in the finance sector. Timing of implementation remain unknow.
Key obligations
DORA mandates financial institutions to establish robust cybersecurity frameworks to protect their operations and sensitive data from cyber threats. This includes implementing measures such as risk assessments, ICT policies, adequate security controls and an operational resilience testing program as an integral part of an ICT-risk management framework.
Financial entities are required to establish an incident management process to detect, manage and notify ICT-related incident. In addition, ICT-related incidents and significant cyber threats must be recorded. Furthermore, the entities must report cybersecurity incidents to relevant authorities, enabling swift response and mitigation efforts. Timely reporting is intended to help minimize the impact of cyberattacks and enhance overall sector resilience.
DORA provides comprehensive rules on third party risk management. Except for micro-enterprises, all enterprises are required to have a vendor risk strategy that meets specific criteria, maintain a registry of ICT services used, and annually report new contracts and planned ICT service agreements for critical functions to the supervisory authority. Before entering into an agreement with an ICT provider, an enterprise must conduct evaluations and ensure the provider adheres to appropriate information security standards. DORA additionally sets out minimum, key contractual elements which must be included in contractual arrangements on the use of ICT services.