The Digital Operational Resilience Act (DORA) is a European regulation aiming to establish a uniform and comprehensive framework for the digital operational resilience across the EU financial sector. DORA provides a single set of rules for the use of ICT systems by financial institutions, focusing on ICT risk management, security and business continuity, resilience testing and contracting with ICT service providers. DORA also establishes an oversight framework for critical ICT service providers.
DORA has a broad scope. It applies to most companies engaged in financial services and regulated under an EU regime, including credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings and fund managers. From 17 January 2025, all financial institutions must be fully compliant with DORA. Only limited exceptions apply.
A wide range of technology-related contracts will be affected, as DORA will regulate all digital and data services provided on an ongoing (i.e. not one-off) basis. These are not limited to ICT services that qualify as outsourcing. The regulation applies to all new and existing arrangements with third-party ICT service providers – wherever they are located.
The obligations are organised in five pillars:
Governance - The management body will be responsible and accountable for the ICT risk management framework.
ICT risk management framework - A comprehensive framework must be established to identify ICT risks, monitor and control the functioning of systems, detect and respond to anomalous activities and learn from vulnerabilities.
Incident reporting – ICT related incidents should be classified, and ‘major’ incidents should be reported to the authorities.
Resilience testing - Establishment and performance of independent testing programme. Advanced threat-led penetration testing (TLTP) is required for certain financial institutions.
ICT third parties - Contracting ICT service providers requires due diligence on the service provider. Specific terms and conditions should be included. Additional requirements apply to ICT services supporting critical or important functions.
How will DORA fit into the existing regulatory framework?
DORA seeks to codify requirements that are currently covered by guidelines issued by EU and national authorities, such as ESMA’s Guidelines on outsourcing to cloud service providers. It also extends these requirements to all financial institutions covered by DORA. DORA should be read in conjunction with the regulatory outsourcing rules and Guidelines on outsourcing arrangements, bearing in mind that the obligations also apply to ICT services that do not qualify as outsourcing.
Will there be supervision on ICT service providers?
ICT third-party service providers deemed critical to the financial sector will be subject to direct oversight from one of the European Supervisory Authorities (EBA, ESMA or EIOPA). It is expected that large technology companies providing cloud services will be considered critical. Critical providers will have to comply with certain direct obligations under DORA. For example, those based in a third country that provide services to financial institutions in the EU will be required to establish a subsidiary in the EU to ensure effective supervision.
What other ICT rules are relevant?
Existing regulatory requirements and expectations already provide guidance on the management of ICT risks. Relevant examples include the EIOPA Guidelines on ICT security and governance for (re)insurers and the EBA Guidelines on ICT and security risk management for credit institutions, investment firms and payment service providers. It should also be noted that DORA is not the only EU initiative addressing ICT risks. The NIS2 Directive provides a horizontal cybersecurity framework across various critical sectors. This directive may apply to certain financial institutions (credit institutions, trading venues and central counterparties), but the EU legislature has designated DORA as a lex specialis, meaning that DORA takes precedence and, accordingly, only part of the NIS2 Directive will be relevant for these financial institutions.
The European Supervisory Authorities or ESAs (EBA, ESMA and EIOPA) have launched two joint consultations on policy mandates under DORA. The published Regulatory Technical Standards (RTS), implementing technical standards (ITS) and Guidelines further specify the expectations of legislators and regulators as financial institutions implement and apply the requirements set out in DORA.
This second batch comprises:
Global impact for groups with activities outside the EU
Although the scope of DORA extends to financial institutions regulated in the EU, we expect DORA to have a significant impact beyond the borders of the EU as well. As the obligations introduced by DORA apply to all ICT infrastructure used by EU financial institutions, it will also apply to ICT infrastructure that is shared between the EU companies and any of their group entities, also if these are located outside the EU. For global financial groups with substantial activities in the EU, it may therefore be more efficient to apply the obligations of DORA to their entire ICT infrastructure, rather than attempting to ring-fence the infrastructure used by teir EU group companies.
Most financial institutions will need to update at least part of their ICT risk management and contracts with ICT service providers. A comprehensive gap assessment is recommended to evaluate DORA compliance and identify any areas that require further investment and prioritisation. Our Information & Communication Technology group has extensive expertise in advising clients on DORA compliance. We use our experience and operational knowledge to ensure clear, practical solutions.
Ways in which we assist our clients include: