Introduction to DORA – Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) Regulation 2022/2554/EU is a European regulation that aims to strengthen the digital operational resilience of the EU internal market in the context of increasingly sophisticated cyber threats.

The DORA Regulation sets out the technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by 17 January 2025.

DORA documentation kit – Language: English
Sale! Original price was: 998,00 €.Current price is: 499,00 €.
Add to cart and unlock the extra 20% discount

Target audience
The DORA Regulation is aimed at banks, insurance companies, financial institutions and ICT service providers.

What it establishes
DORA sets out the technical requirements for financial entities and ITC providers in four areas:

ICT risk management and governance
Incident reporting and response
Digital operational resilience testing
Third Party Risk Management

ICT Risk Management (Articles 5-16)
The first pillar of DORA concerns operational risk management. Financial entities are required to identify, categorise and manage the operational risks associated with their digital activities, with an emphasis on involving the entire organisation in adopting and maintaining measures to meet the identified tolerance level, with particular emphasis on critical functions and the evolution of Business Continuity into comprehensive resilience systems.
ICT Incident Management (Articles 17-23)
Incident management is a key aspect of ensuring operational resilience in the financial sector and digital services, and the DORA Regulation sets out guidelines involving a rapid, coordinated and well-planned response to events that threaten the security and business continuity of companies in the digital environment, as well as conducting a post-mortem analysis to identify lessons learned and areas for improvement. This continuous learning process is essential to strengthen operational resilience and prevent future similar incidents.
Digital Operational Resilience Testing (Articles 24-27)
With a view to achieving operational resilience, it is important to adopt testing as an integral part of the risk management strategy. DORA-compliant digital operational resilience testing aims to assess an organisation’s ability to withstand and recover from adverse events in the digital environment.
Third Party ICT Risk Management (Articles 28-30)
Third Party Management according to the DORA Regulation requires companies to proactively and carefully manage third party relationships to protect digital infrastructure and ensure operational resilience by assessing and monitoring the risks associated with the ICT vendor supply chain in relation to the type, criticality and number of services provided. Financial entities are required to conduct thorough due diligence before engaging with a third party and monitor it over time, integrate security requirements into contracts, and contingency measures in the event of contract termination.
Information and Intelligence Sharing (Article 45)
The fifth pillar of DORA promotes collaboration and information sharing between financial entities and competent authorities to protect against common threats, vulnerabilities, and to support overall defence capabilities to effectively address digital threats, including cross-border threats.