Introduction to the Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) aims to enhance the digital resilience of the European financial sector by addressing ICT risks through comprehensive governance, incident management, resilience testing, third-party risk management, and awareness initiatives. Effective from January 2025, DORA targets a wide range of financial entities, ensuring harmonized and stringent ICT security measures across the EU.
The European regulation on digital operational resilience for the financial sector (Digital Operational Resilience Act – DORA) came into force on 16 January 2023(1). Its provisions shall apply as of 17 January 2025.
The initiative for this regulation was driven by the industry's ever-increasing dependence on digital assets and processes. As a result, ICT risks pose a growing challenge for the operational resilience, performance and stability of the European financial system. In addition, the European Commission considered that previous legislation did not address this issue in a sufficiently detailed and comprehensive manner, did not provide financial supervisors with the most adequate tools to fulfil their mandate, and left too much room for divergent approaches in a single EU market. The European Supervisory Authorities (ESAs) had also previously called for a more coherent approach to the management of ICT risks in the financial sector through a joint technical advice.
The DORA regulation is based on five pillars:
- The first pillar consists of key principles and requirements on ICT governance and risk management, inspired by relevant international and sectoral standards, guidelines and recommendations. These requirements concern specific functions in ICT risk management (identification, protection and prevention, detection, response and recovery, training and development, and communication), and underline the importance of an adequate policy and organizational framework. This first pillar also covers the crucial and active role that the management body should play in driving the ICT risk management framework and the assignment of clear roles and responsibilities for ICT-related functions.
- The second pillar contains requirements related to the management and classification of ICT-related incidents, as well as provisions to harmonize and streamline the reporting of such major incidents to the competent authorities. In addition, this pillar addresses the responsibility of competent authorities to provide feedback and guidance to financial entities and to transmit relevant data to other authorities with a legitimate interest. The ambition is that financial entities will only have to report major incidents to one competent authority. In this context, the feasibility of an EU hub will also be examined by the ESAs, the ECB and ENISA. Finally, the incident reporting obligations under PSD2 will be fully integrated into this new reporting framework.
- The third pillar concerns the requirements for testing digital operational resilience, i.e. periodically assessing resilience against cyber-attacks and identifying weaknesses, shortcomings or gaps, as well as the rapid implementation of corrective measures. While all financial entities are required to subject their ICT systems to testing, which can range from scanning for vulnerabilities to analysing software, only those entities identified by competent authorities would be required to perform advanced threat-led penetration testing (TLPT).
- Fourth, the regulation contains provisions to ensure proper management of ICT risks associated with third parties. On the one hand, this objective will be achieved by imposing principles on how financial entities should monitor these risks and by introducing regulation that harmonizes the key elements of the service provision and the relationship with external ICT providers. On the other hand, the regulation aims to promote convergence in supervisory approaches for ICT third-party risks in the financial sector by establishing an EU oversight framework for critical ICT third-party service providers.
- The fifth and final pillar should increase awareness of ICT risks and related aspects. This pillar focuses on limiting the spread of these risks, supporting defensive capabilities and threat detection techniques, while explicitly allowing financial entities to establish mutual arrangements for information exchange on cyber threats.
With a view to maximum harmonization within the financial sector, DORA targets a wide range of financial entities, including central securities depositories, credit institutions, insurance and reinsurance undertakings, stockbrokers, payment institutions and electronic money institutions.
DORA should be considered a 'lex specialis' with regard to the EU Directive on measures to ensure a high common level of cybersecurity in the Union (also referred to as the NIS 2 Directive)(2). This means that the DORA requirements, for example regarding ICT security or incident reporting, are more demanding than those of the NIS2 Directive and that the institutions that fall under DORA can limit themselves to compliance with the DORA provisions
Given the strong interlink between the digital resilience and the physical resilience of financial entities, the obligations of Chapters III and IV of the Critical Entities Resilience Directive (CER)(3) do not apply to financial institutions covered by DORA either.
The Bank is committed to ensuring a successful implementation of the DORA Regulation in various ways:
- On the one hand, it actively contributes, under the auspices of the ESAs, to the creation of level 2 texts that will clarify the DORA regulation in many areas. This led to a first set of draft standards covering the ICT risk management framework, the criteria for classifying ICT-related incidents, the policy regarding ICT services offered by third parties that support critical or important business functions, and finally the templates to be used when reporting ICT third-party dependencies to the competent authorities(4), most of which have been adopted by the Commission in the meantime(5),(6),(7). A second set of draft documents was published in July 2024 and included provisions related to reporting of major ICT-related incidents, as well as advanced threat-led penetration testing, subcontracting of ICT services supporting critical or important functions, and standards that should guide the oversight of critical third parties (8),(9).
- On the other hand, the Bank is also strongly committed to a successful implementation of DORA by increasing the awareness of the sector through various seminars, communications and surveys, by facilitating the integration of DORA into the Belgian legal order, by developing the necessary IT tools and processes for data collection and dissemination, by adapting existing supervisory methodologies, and by anticipating, as far as possible, the impact that the oversight of critical third parties will have on its activities.
Notes:
(1) Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.
(2) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148.
(3) Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.
(5) Commission Delegated Regulation (EU) 2024/1774 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
(6) Commission Delegated Regulation (EU) 2024/1773 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
(7) Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents