Given the ever-increasing risks of cyber-attacks, the EU is strengthening the ICT (Information Communication Technologies) security of the banks, insurance companies and investment firms. As part of these efforts, the European Parliament (EP) and the Council have approved the Digital Operational Resilience Act (DORA), which stresses again many of the requirements established in the EBA Guidelines ICT and Outsourcing, adding new requirements or reinforcing some of the existing ones.
EP/Council - Digital Operational Resilience Act (DORA)
Executive summary
These regulations aim to ensure the financial sector in Europe is able to stay resilient through a severe operational disruption, by creating a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.
Main content
This Technical Note summarises the key aspects covered by DORA, organised as follows:
- ICT Perimeter and Governance. DORA lays down uniform requirements concerning the security of network and information systems of financial entities as well as critical third parties which provide ICT-related services to them, such as cloud platforms or data analytics services. On the other hand, describes the different tasks of the management body on this regard and identifies a position in charge of monitoring agreements with ICT third-party service providers.
- ICT risk. Financial entities shall:
- Identify and classify, according to criticality, ICT support functions and assets, as well as their interdependencies with third parties.
- Continuously identify sources of risk.
- Evaluate specific risks in all legacy ICT systems on an annual basis.
- Conduct a Business Impact Analysis (BIA) of exposures to severe business interruptions in terms of continuity to assess their potential impact.
- ICT - related incident reporting. Financial entities shall:
- Classify ICT-related incidents and determine their impact based on the listed criteria, (e.g. the number and/or relevance of clients or financial counterparts affected), as well as classify cyber threats based on the criticality of the services at risk.
- Submit an initial notification and reports on major ICT-related incidents to the relevant competent authority. The feedback received should be evaluated and will provide guidance to the financial institution, in particular to discuss solutions at the institution level or ways to minimize the adverse impact on all sectors.
- Digital operational resilience testing. Financial entities shall, establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework. This shall include:
- Annual testing of all critical ICT systems and applications (vulnerabilities, code analysis, performance, capacity, etc.).
- Advanced threat-specific testing of critical functions and services, validated by supervisory authorities.
Entities shall ensure that testing is carried out by third independent parties and at least annually.
- ICT third-party risk. DORA extends the perimeter to all high-risk providers (not only those considered as outsourcing in EBA Guidelines). Institutions must develop a register of information containing a complete overview of all third parties providing ICT services and report changes to the regulator once a year. An assessment of ICT concentration risks is also required.
- Information-sharing arrangements. To raise awareness of ICT risk, minimise its spread, support financial institutions' defensive capabilities and threat detection techniques, DORA enables and encourages financial institutions to enter into agreements to share cyber threat intelligence and information with each other.
Next steps
- DORA will start to apply from January 2025.
- ESAs shall submit regulatory technical standards (RTS) specifying some aspects set out in DORA by July 2024.
Download the technical note Digital Operational Resilience Act (DORA) (only available in Spanish).