Jump to
What is the Digital Operational Resilience Act?
The Digital Operational Resilience Act (Dora) came into force on January 16, 2023 but organisations have until January 2025 to become compliant.
Dora aims to introduce a comprehensive framework on digital operational resilience for European financial institutions.
In January 2025, financial institutions and third-party ICT providers will have to meet these new requirements on the operational stability of digital systems.
Provisions of Dora will be specified in regulatory and implementing technical standards (RTS and ITS), adopted by the European Supervisory Authorities (EBA, EIOPA and ESMA, collectively the ESAs).
Dora is one aspect of the EU’s Digital Finance Package, which includes legislative proposals on markets in crypto-assets (MiCA), distributed ledger technology such as blockchain and a digital finance strategy.
What is the scope of Dora?
Dora’s objective is to make sure the financial sector in Europe is able to effectively manage ICT and cyber security risk, including when arising from third-party providers.
Only if these risks are properly managed can digitalisation truly deliver on the many opportunities it offers for the banking and financial industry.
Dora encompasses five main areas:
ICT risk management
Financial entities will be required to define and oversee the implementation of all arrangements related to the ICT risk management framework
Reporting on ICT-related incidents
Financial entities are required to establish and implement an ICT-related incident management process to detect and notify ICT-related incidents
Digital operational resilience testing
Financial entities are required to establish and implement an ICT-related incident management process to detect, manage and flag up ICT-related incidents
Management of third-party risk
Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework
Information and intelligence sharing
Financial entities may exchange among themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques and procedures as well as cyber security alerts
Large scope of application
Dora covers all financial actors including credit institutions, crypto-asset service providers, payment institutions, insurance companies and statutory auditors. It would also regulate critical third-party ICT providers including providers of cloud computing services, software, data analytics services and data centres, but does not include providers of hardware components.
The inclusion of third-party providers is important given that outsourcing is widely used in the European banking sector. As per the annual report on the outcome of the 2020 SREP IT risk questionnaire, 60% of banks either fully or largely rely on outsourced activities. Around 85% of banks are using some form of cloud computing services.
The impact on financial institutions
Financial entities should perform due diligence on existing contracts with third-party ICT service providers, ensuring that all relevant key contractual provisions are catered for and that its contract register is up to date.
According to Joachim Wuermeling, member of the executive board of the Deutsche Bundesbank, small and medium-sized banks in particular will benefit from digitalisation if the risks are managed.
There are two main improvements Dora can bring to this group of lenders: the central oversight of cloud service providers, and the fact that small banks usually rely on cloud services that enable them to tap into huge computing capacities and state-of-the-art software capabilities without an expensive IT infrastructure.
Nevertheless, every bank has a duty to monitor and control the risks arising from an outsourcing relationship. Systemically important third-party service providers will be audited by public authorities. Many cloud service providers operate internationally, have millions of customers and an enormous amount of data and money. Compared with them, smaller European banks are just too small to be able to really audit the cloud service providers.
The cost of operational incidents in the financial sector is between €2bn and €27bn euro per year for the EU financial sector. Dora could help to lower these numbers and mitigate wider the impacts of serious cyber incidents.
Dora could also reduce the administrative burden on financial institutions and increase the efficiency of supervision with more consistent and standardised incident reporting procedures.
