DORA: Resilience becomes a priority for the financial sector in Europe

The Digital Operational Resilience Act (DORA) is a regulation of the European Union that came into force on January 16, 2023. This legislation represents a fundamental milestone in the regulatory landscape of the European financial sector, establishing a comprehensive and binding legal framework for the management of risks related to information and communication technologies (ICT).

Origin and objectives of DORA 

D

ORA arises in response to the growing complexity and sophistication of the current technological landscape, where financial institutions increasingly rely on ICT to conduct their operations. In this context, cyber threats and technological disruptions have become systemic risks that endanger the stability of the financial industry and the protection of customers. 

The main objective of DORA is to strengthen the operational resilience of the European financial sector against these threats, ensuring that financial institutions: 

• Identify and manage ICT risks properly. 
• Develop robust security measures to protect their systems and data. 
• Have effective disaster recovery plans to ensure the continuity of their operations in the event of a serious disruption. 
• Cooperate with competent authorities and each other to share information and best practices. 

Who created DORA? 

DORA is the result of a complex legislative process that involved various key actors, including the European Commission, which initially proposed the regulation and is responsible for its technical development, the European Parliament and the Council of the European Union, tasked with approving the final text, national competent authorities of EU member states, responsible for overseeing compliance with the regulation in their respective countries, and the financial industry as a whole, which actively participated in the consultation process and provided feedback on the framework’s development. 

A detailed timeline 

DORA has come a long way from its conception to its entry into force in 2023. Along this journey, it has seen discussions, negotiations and a concerted effort by different actors to strengthen the security of the European financial sector. Let us review the key milestones: 

2019 

• September: The European Commission publishes a consultation document on digital operational resilience in the financial sector, marking the formal beginning of the DORA development process. 

2020 

• September: The European Commission presents a proposal for a Regulation on digital operational resilience in the financial sector to the European Parliament and the Council of the European Union, based on the conclusions of the consultation document. It establishes the fundamental principles and objectives of DORA. 
• Rest of the year: A period of debate and negotiation opens between the European Parliament, the Council of the European Union, and the European Commission to reach a final agreement. 

2021 

• April – June: The European Parliament and the Council of the European Union approve the Regulation proposal with some amendments. 
• December: A final agreement on the text is reached. 

2022 

• January: Regulation (EU) 2022/2554 is published in the Official Journal of the European Union. 
• February: The regulation comes into force. From this date, financial entities have a three-year period to comply with the regulation requirements. 
• November: The European Commission publishes Guidelines on the management of risks related to information and communication technologies (ICT) in the financial sector. These guidelines provide practical guidance to financial entities on how to comply with DORA requirements related to ICT risk management. 

2023 

• January: Financial entities must conduct an initial assessment of their ICT risks to identify and classify critical ICT assets and processes, as well as potential risks that could affect them. 
• September: Financial entities must submit a digital operational resilience plan to the competent authorities, outlining the measures they will take to manage and mitigate their ICT risks. 

2025 

• January: Deadline for financial entities to comply with all DORA requirements. From this date, competent authorities can impose sanctions on financial entities that do not comply with the regulation. 

Who does DORA apply to? 

The DORA Regulation has a broad scope and encompasses a wide range of actors in the financial sector: traditional financial entities, non-traditional financial entities, and external service providers. Additionally, it is important to highlight that DORA applies not only to financial entities established in the EU, but also to those operating in the EU from outside the European Union. 

Traditional financial institutions  

• Banks. Including commercial banks, investment banks, central banks and others.  
• Insurers. Life, non-life and reinsurance companies.  
• Investment institutions. Investment funds, asset management companies, securities firms and other investment institutions.  
• Credit institutions. Savings banks or credit cooperatives. 

Non-traditional financial entities 

• Payment service providers. Companies like PayPal and Stripe. 
• Securities markets. Stock exchanges, alternative trading platforms, and other securities markets. 
• Cryptoasset service providers. Companies that exchange, custody, or administer cryptoassets. 
• Crowdfunding platforms. Those that connect borrowers with investors in the European Union. 

External service providers 

• Critical ICT service providers. Companies that provide essential ICT services to financial entities in the EU, such as cloud service providers and data centre providers. 
• Third-party service providers. Audit firms, consulting firms, and information security providers that offer services to financial entities. 

DORA requirements: high standards to ensure resilience 

The Digital Operational Resilience Act sets out a set of requirements divided into different areas, which must be applied proportionally to the size of the entity. 

Governance and risk management 

To ensure effective management of ICT risks, DORA requires financial entities to establish a robust framework for governance and risk management, including: 

• Establishment of a responsible Board of Directors. It will be responsible for overseeing and directing the implementation of the operational resilience strategy, ensuring that ICT risk management is integrated into the entity’s strategic decision-making. 
• Development of comprehensive frameworks for ICT risk management. Financial entities must develop comprehensive frameworks to identify, assess, mitigate, and monitor potential ICT risks that may affect their business, including clear methodologies for classifying critical assets and processes, conducting assessments, and activating security controls. 
• Identification and classification of critical resources and functions. It is crucial for financial entities to identify and classify their ICT assets and processes based on their importance to the business. This will allow prioritisation of protection for the most critical resources and functions and establishment of specific recovery plans in case of disruptions. 
• Documentation of interdependencies. This point includes the need to document interdependencies between resources, systems, processes, and providers to understand the potential impact of a failure or attack in different areas. 
• Classification of cyber threats. It will be necessary to classify cyber threats based on their probability and potential impact, allowing prioritisation of response measures. 
• Implementation of appropriate security measures to mitigate identified risks, including access controls, data protection, intrusion detection, and incident response. 
• Business impact analysis, which must be conducted to assess the potential consequences of different disruption scenarios, such as system failures, cyber-attacks, or natural disasters. These analyses will enable financial entities to make informed decisions about investing in security measures and preparing for crisis situations. 
• Cybersecurity protection. They must apply appropriate cybersecurity protection measures, such as identity and access management policies, data encryption, employee security awareness, and incident response plans. 
• Business continuity and disaster recovery plans will ensure the continuity of operations in case of disruptive events. These plans must be tested and updated periodically. 

Incident response and notification 

• Implementation of systems for monitoring, managing, recording, classifying, and notifying ICT-related incidents.
• Communication of incidents to the relevant authorities and affected clients. Criteria for determining the need for notification are based on the severity of the incident, considering factors such as: potential impact on the business, risk to clients, the scope of the incident, or its nature.

Digital operational resilience testing 

DORA mandates the obligation to conduct periodic tests of ICT systems to assess the effectiveness of security measures and the ability to respond to disruptions. These tests, which may include crisis simulations and penetration testing, must be carried out regularly, cover a wide range of risk scenarios, and communicate the results to the relevant authorities. 

Third-party risk management 

When outsourcing critical functions, DORA requires financial entities to establish third-party risk management measures to ensure that providers comply with appropriate security and resilience standards. These measures include: 

• Negotiating specific contractual agreements with critical service providers. These agreements should clearly define responsibilities for security, audits, and performance objectives, ensuring that providers have adequate security measures and that financial entities have access to necessary information to assess their compliance level. 
• Avoiding concentration of critical functions in a single provider to reduce the risk of excessive dependency. This can be achieved by diversifying and engaging multiple providers or developing capabilities internally. 
• Supervising third-party critical ICT service providers to ensure compliance with DORA requirements. This supervision will include periodic evaluations of provider security controls and taking corrective actions as necessary. 
• Prohibition of providers that do not comply with DORA. Competent authorities may prohibit critical ICT service providers that do not comply with DORA from entering into contracts with financial entities. This measure aims to protect the financial sector from unreliable providers and ensure a high level of security in the supply chain. 

Enforcement and penalties 

Compliance with DORA requirements will be the responsibility of the competent authorities of each EU Member State. These authorities will have the power to request financial entities to implement specific security measures and address identified vulnerabilities, as well as to impose administrative sanctions, and in some cases, criminal penalties, on entities that fail to comply with DORA requirements. 

TrustCloud: strategic ally for DORA compliance 

TrustCloud, as a platform for secure digital transactions with extensive experience in highly regulated sectors such as banking and insurance, holds a privileged position to assist financial entities in complying with DORA regulation. 

We develop custom solutions to meet the specific needs of the sector. Working from a single platform, with straightforward implementation, our methodology ensures maximum resilience, aligned with DORA, complemented by that of our various service providers. In the event of a service outage or failure, TrustCloud can reroute transactions to another provider seamlessly. 

As a provider of solutions for identification or electronic signature, we adhere to the highest standards of audit and monitoring, as mandated by the norm, and hold prestigious certifications endorsing our operational resilience (ISO 22316), security and privacy (NIST 800-63), and threat management (LINCE). 

Find out how TrustCloud helps you to comply with DORA