The Digital Operational Resilience Act (DORA) was proposed by the European Commission in September 2020 to strengthen the digital resilience of the financial sector. Banks, insurers, payment service providers and their IT service providers will in future have to comply with strict requirements on risk management, incident reporting and outsourcing. Since DORA is expected to become binding by 2025 at the latest, it is essential that companies prepare for these obligations early on.
Who or what is DORA?
On 24 September 2020, the European Commission published its proposal for a regulation on digital operational resilience in the financial sector, known as the Digital Operational Resilience Act (DORA), as part of the EU’s “Digital Finance” package. The aim is to end the fragmentation of cyber and IT risk rules in the financial industry and, for the first time, establish uniform, cross-sector minimum requirements for digital resilience in financial services companies.
Who is affected?
The proposal stipulates that all financial entities operating in the internal market are directly covered – without requiring prior national transposition – including banks, insurers, and investment firms. ICT third-party providers, particularly those of systemic importance, are also addressed: the regulation foresees that critical third-party providers must meet special requirements and be subject to EU-level oversight.
What are the key elements of the regulation?
The draft DORA regulation is structured around several core requirements:
- ICT risk management – Financial actors must maintain a robust framework to systematically manage technology risks.
- Reporting of ICT-related incidents – Harmonized thresholds and taxonomies should help identify and report serious IT disruptions.
- Operational resilience testing – Regular testing is required to identify vulnerabilities and ensure resilience.
- Third-party risk management – Including due diligence, monitoring, and rules governing outsourcing to ICT service providers.
- Information sharing – Exchange of threat intelligence and incident data to strengthen sector-wide defenses.
What affected companies must do?
Although no final requirements have been adopted yet, the proposal clearly points toward binding obligations:
- Establishing or adapting an ICT risk management framework, including governance and a digital resilience strategy.
- Setting up incident management processes with defined reporting channels and thresholds.
- Conducting regular tests, e.g. on operational continuity or stress scenarios.
- Reviewing and adjusting contracts with ICT service providers, especially in cloud or critical infrastructure contexts.
- Building or joining information networks for cyber-threat sharing.
All this comes with the understanding that smaller entities may be proportionally relieved – for example, through a “simplified ICT risk management framework.”
What timeline should be considered?
DORA is a promising regulatory proposal designed to provide a coherent, harmonized framework across the EU to address digital risks in the financial sector. With its focus on ICT risks, incident reporting, resilience testing, third-party oversight and cyber-threat sharing, DORA aims to eliminate regulatory fragmentation and strengthen the resilience of financial institutions.
The EU has announced its intention to move swiftly with adoption and implementation. While details on timing, technical standards and supervisory practices are still pending, the usual regulatory timelines allow for a rough projection. Figure 1 illustrates the expected schedule, from today’s proposal to the mandatory application of regulatory requirements, likely by late 2024 or early 2025.
For financial innovators and IT leaders, this means taking the necessary technological and organizational steps now – in full awareness that binding ICT resilience requirements will soon be introduced at EU level.
Comment