The Digital Operational Resilience Act (DORA) is a regulation within the European Union that aims to bolster cybersecurity measures and ensure the continuous functionality of the financial sector through the implementation of stringent information and communications technology (ICT) standards across all financial entities in the EU.
DORA mandates that all impacted organizational categories, totaling more than 20, must develop detailed risk management frameworks with clearly defined roles and responsibilities. This requirement aligns with the European Commission’s strategy to enhance cybersecurity within the EU financial sector.
In addition to the Network and Information Security 2 (NIS2) Directive, DORA plays a critical role in increasing information security within companies. While both directives share the goal of enhancing cybersecurity, there are key distinctions between the two. NIS2 is a directive that sets goals for EU countries, but as it is not a regulation, each member state must adopt and enforce its legislation related to the directive, which has been a challenge for many countries. On the other hand, DORA is a regulation similar to the General Data Protection Regulation (GDPR), meaning it is an enforceable law with immediate legal effects applied uniformly across all EU states.
Moreover, unlike NIS2, which broadly targets companies across 18 sectors, DORA exclusively focuses on the financial sector, including banks, insurance companies, investment firms, and other service providers. The rationale behind DORA is that as these institutions heavily rely on digital systems, it is crucial for the entire interconnected financial sector to be resilient in the face of digital disruptions and cyberattacks.
Fragmented and inconsistent cybersecurity regulations among EU states have created confusion for businesses in all sectors. DORA seeks to provide a unified approach throughout the EU financial sector, enabling the collective management of risks consistently across national boundaries.
The core components of DORA are structured around five key pillars that collectively form a digital resilience framework to safeguard the EU financial sector. These pillars include ICT risk management, ICT-related incident reporting, digital operational resilience testing, third-party risk management, and information and intelligence sharing.
DORA applies to a wide range of entities in the financial sector, including financial entities operating within the EU, ICT service providers supplying entities covered by DORA, intragroup arrangements, and third-party IT providers of critical functions to financial entities. The regulation’s overarching goal is to establish a robust framework for digital operational resilience across the financial sector, ensuring operational continuity and preparedness to manage ICT risks effectively.
Overall, DORA legislation is crucial for cybersecurity as it introduces uniform governing principles for managing cyber risks across EU nations, replaces fragmented regulations with a cohesive approach, mandates a multifaceted approach to managing ICT-related risks, and imposes strict oversight and contractual obligations on third parties. Key dates for DORA include its enactment on Jan. 16, 2023, with enforcement starting on Jan. 17, 2025, along with the publication of templates and tools for the dry-run exercise on DORA reporting in May 2024 by the European Supervisory Authorities.