Compliance with the EU Digital Operational Resilience Act (DORA) 2023 commenced on January 17, 2025. DORA, which addresses a critical gap in the EU’s financial regulatory framework, aims to strengthen the digital operational resilience of financial entities. In an era where cyber threats have become more sophisticated and financial services increasingly digitized, the previously fragmented approach to ICT risk management needed consolidation. Financial entities face frequent cyberattacks, this highlights the need for digital resilient measures to tackle such incidents.

Highlights of DORA

DORA introduces several key provisions that financial entities must incorporate into their operational frameworks:

1. ICT Risk Management: Article 6 of DORA mandates that “financial entities shall have in place a sound, comprehensive, and well-documented ICT risk management framework as part of their overall risk management system.” It requires financial entities to implement robust policies for identifying, assessing, and mitigating ICT-related risks;
2. Incident Reporting: Financial entities must establish clear protocols for detecting and reporting major ICT incidents to regulators within strict timeframe.  ICT related incidents are to be classified in a detailed report. Financial entities must conduct analyses to prevent reoccurrence;
3. Digital Resilience Testing: A regular and comprehensive testing of digital resilience capabilities is mandated to ensure preparedness. Article 24(2) of DORA further clarifies that “the testing programme shall include a range of assessments, tests, methodologies, and tools to be applied.” DORA introduces a Threat-Led Penetration Testing (TLPT) to be used by financial entities classified as significant institutions;
4. Third-Party Risk Management: Financial entities must assess and monitor risks posed by external ICT service providers, including cloud service providers. In other words, financial entities must conduct due diligence on service providers and maintain continuous monitoring of service providers. DORA also established key contractual provisions that must be included in agreements with critical ICT third-party service providers, such as clear description of all functions and services, and cooperation of the ICT service providers with competent authorities;
5. Regulatory Oversight and Coordination: European Supervisory Authorities (ESA) will have greater oversight over financial entities’ digital resilience frameworks. ESAs can conduct on-site supervisions, request information, and impose sanctions on a defaulting financial entity;
6. Information sharing: Article 52 of DORA establishes voluntary information-sharing frameworks among financial institutions. Financial entities can exchange intelligence on cyber threats, vulnerabilities, and attack patterns, improving collective defense capabilities.
   

Impact on Financial Entities

For financial entities, DORA presents both a challenge and an opportunity. Small and medium-sized financial entities must now allocate resources to meet comprehensive ICT risk management requirements, potentially impacting their operational costs. Larger financial entities need to review and potentially restructure their third-party relationships, particularly with cloud service providers. However, compliance with DORA can enhance organizational resilience and build stronger customer trust.

Implementation

Financial entities must navigate complex technical requirements while maintaining operational efficiency. The requirement for regular testing, including threat-led penetration testing (TLPT), demands substantial expertise and resources. Additionally, the need to monitor and manage third-party ICT risks adds another layer of complexity to vendor relationships.

Moving forward, financial entities should:

1. Conduct comprehensive gap analyses against DORA’s requirements;

2. Develop detailed implementation roadmaps;

3. Establish clear ICT risk management frameworks;

4. Review and update third-party service provider contracts; and

5. Invest in staff training and necessary technical resources.

With DORA now fully operational, financial entities must prioritize their implementation strategies to ensure compliance within stipulated timeframes. DORA represents a fundamental shift in how the financial sector approaches digital operational resilience, setting a new global standard for ICT risk management in financial services.