“What is DORA?”(Digital Operational Resilience Act)Regulation (EU) 2022/2554 of December 14, 2022 on Digital Operational Resilience for the Financial Sector

By Marco Sepe *

ABSTRACT: With the DORA regulation (EU) 2022/2554, the provisions on IT risks have been updated and consolidated into a single regulatory text, within the scope of the operational risk requirements, which until now have been dealt with separately and disorganized in various legal acts of the Union. In order to achieve a common and adequate level of operational and digital resilience, DORA establishes a series of obligations for the subjects falling within its scope of application which concern five specific areas and which are briefly discussed in the text: a) Management of ICT and cyber risks (Risk Management) b) Management of ICT and cyber incidents (Incident Reporting); c) Digital operational resilience tests, making it mandatory to carry out advanced operational resilience tests of ICT systems; d) Management of ICT risks deriving from the use of ICT service providers (third parties); e) Information sharing (Infosharing). The work ends with a brief reference to the communications issued by the Bank of Italy for the first application of the discipline starting from 17 January 2025.

SUMMARY: 1.What is Dora?  2.  The regulatory framework of Dora (Dora package). 3. Who Dora applies. 4. The five pillars of Dora. 5.  ICT and Cyber Risk Management (Risk Management). 6. ICT and Cyber Incident Management (Incident Reporting). 7. Digital Operational Resilience Testing. 8. Management of ICT and Cyber Risks Arising from the Use of ICT Service Providers (Third Parties). 9. Information Sharing (Infosharing).

1. The use of ICT has in the past decades gained a pivotal role in the provision of financial services, to the point where it has now acquired a critical importance in the operation of typical daily functions of all financial entities.

From a “micro” perspective, it is therefore essential for intermediaries to adequately manage ICT risk, which is increasingly crossing the boundaries of operational risk and becoming transversal to the entire business activity, given the growing reliance on technology and the potential impacts that weaknesses in the management of IT resources can have on the reputation of intermediaries (Comm. BI. 22.10.2024) and their stability.

From a “macro” perspective, in a 2020 report, focused on systemic cyber risk, the European Systemic Risk Board (ESRB) reaffirmed that the current high level of interconnection between financial entities, financial markets, and financial market infrastructures—and, in particular, the ever-growing interdependence of their respective ICT systems (mostly provided by third parties)—could constitute a potential systemic vulnerability. This is because localized cyber incidents could quickly spread from any of the approximately 22,000 financial entities in the Union to the entire financial system, without encountering any geographical boundaries (Recital 3).

The purpose of DORA is therefore to provide a comprehensive regulatory framework aimed at safeguarding the financial services sector and its clients from incidents related to the use of ICT tools, improving the way financial institutions mitigate, document, and respond to potential threats and vulnerabilities.
To this end, DORA introduces a monitoring regime and strict responsibilities for financial institutions and their essential ICT service providers, requiring the management of financial institutions to adopt appropriate risk management strategies, monitor the execution of these strategies, and keep up with the evolution of the ICT risk landscape. DORA aims to update and consolidate, into a single regulatory text, the requirements concerning cyber risks within the framework of operational risk requirements, which were previously treated separately and in an uncoordinated manner across various Union legal acts.

2. The regulatory background of DORA is based on:

– March 2018: EU Fintech Action Plan (Commission Communication of March 8, 2018, titled “Action Plan on Fintech: A more Competitive and Innovative European Financial Sector”), which emphasized the fundamental importance of greater resilience in the Union’s financial sector, including operational resilience, to ensure the smooth functioning and technological security of the sector, as well as the rapid recovery after incidents and breaches related to the use of ICT tools. This ultimately aims to ensure the effective and orderly provision of financial services across the Union, even in times of stress, while preserving consumer and market operator confidence.

– April 2019: Joint Technical Advice from the European Supervisory Authorities (EBA, ESMA, EIOPA) EIOPA), which is a  joint publication of technical opinions that called for the adoption of a consistent approach to cybersecurity risks in the financial sector. It recommended proportionately strengthening the digital operational resilience of the financial services sector through a sectoral initiative at the Union level.

– September 2020: Publication of the EU Digital Finance Package,
a legislative corpus that outlined an approach to the digitalization of finance, divided into two strategic development lines: the Digital Finance Strategy and the Retail Payments Strategy. Within the Digital Finance Strategy framework, alongside a directive for the adaptation of existing directives, three proposals were presented, which led to the creation of the following regulations: 1) Regulation on the Crypto-assets Market (the so-called MiCAR – Regulation (EU) 2023/1114 of May 31, 2023); 2) Regulation introducing a pilot regime for solutions using crypto-assets and Distributed Ledger Technology in the capital markets (the so-called DLT Pilot Regime – Regulation (EU) 2022/858 of May 30, 2022); 3) Regulation on the Digital Resilience of Technological Solutions in the Financial Sector (the so-called DORA – Regulation (EU) 2022/2554 of December 14, 2022, concerning the digital operational resilience of the financial sector).

The so-called DORA package consists in particular of Regulation (EU) 2022/2554 (composed by 106 recitals and 64 articles) which is effective from January 16, 2023 and applicable (compliance deadline) from January 17, 2025, and an extensive technical-regulatory activity at the second level by the three European Supervisory Authorities (ESAs), with the preparation of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) to be adopted by the Commission, as well as guidelines and/or reports.

Among the delegated acts already adopted are: a) Delegated Regulation (EU) 2024/1772: Technical standards related to the criteria for classifying ICT-related incidents; b) Delegated Regulation (EU) 2024/1773: Technical standards of implementation concerning the detailed content of policies related to contractual agreements for the use of ICT services supporting essential or important functions provided by third-party suppliers; c) Delegated Regulation (EU) 2024/1774 of March 13, 2024: Regulatory technical standards specifying the tools, methods, processes, and policies for managing cyber risks.

The DORA package represents a horizontal regulation that applies to financial entities and their ICT service providers.It intersects with the horizontal EU cybersecurity regulatory framework applicable to all enterprises exceeding a certain size threshold (including three specific types of financial entities: credit institutions, trading venues, and central counterparties), originally set out by Directive EU 2016/1148, now repealed and replaced by Directive EU 2022/2555, titled “Measures for a high common level of security of networks and information systems in the Union”.

Therefore, the DORA regulation constitutes a lex specialis in relation to Directive (EU) 2022/2555, whose application remains in force unless expressly excluded.

3.  DORA applies to 20 types of entities (collectively referred to as “financial entities”) (Article 2):

a) Credit institutions;

b) Payment institutions, including those exempted under Directive (EU) 2015/2366;

c) Account information service providers;

d) Electronic money institutions, including those exempted under Directive 2009/110/EC;

e) Investment firms;

f) Providers of crypto-asset services authorized under the MiCAR regulation and issuers of asset-linked tokens;

g) Central securities depositories;

h) Central counterparties;

i) Trading venues;

j) Trade repositories;

k) Managers of alternative investment funds;

l) Management companies;

m) Data communication service providers;

n) Insurance and reinsurance undertakings;

o) Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries;

p) Occupational or professional pension funds;

q) Credit rating agencies;

r) Administrators of critical benchmarks;

s) Crowdfunding service providers;

t) Securitization data repositories;

u) Third-party ICT service providers.

Excluded from the scope of application are: a) Managers of alternative investment funds below certain size thresholds (as referred to in  Article 3, paragraph 2, of Directive 2011/61/EU); b) Insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC; c) Occupational or professional pension funds managing pension schemes which together do not have more than 15 members in total; d) Natural or legal persons pursuant to Articles 2 and 3 of Directive 2014/65/EU; e) Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries which are micro, small, or medium-sized enterprises; f) Postal account offices as referred to in Article 2, paragraph 5, point 3, of Directive 2013/36/EU.

Based on the principle of proportionality, the following are also provided:

– exemptions and a lighter regime for microenterprises, which under the DORA Regulation (Article 3, point 60) refers to “a financial entity, other than a trading venue, central counterparty, trade repository, or central securities depository, employing fewer than 10 people and having an annual turnover and/or an annual balance sheet total not exceeding 2 million euros.”;

– exemptions and a lighter regime regarding Risk Management (First Pillar) for: small, non-interconnected investment firms; payment institutions exempt under Directive (EU) 2015/2366; institutions exempt under Directive 2013/36/EU; electronic money institutions exempt under Directive 2009/110/EC; and small occupational or professional pension funds (Article 16, paragraph 1);

– customized rules for certain categories of entities (advanced digital tests only for significant financial entities) or for certain aspects (ICT incident reporting only for severe events).

4. The objective of DORA is to ensure “digital operational resilience,” defined as (Article 3, paragraph 1) “the ability of a financial entity to build, ensure, and review its operational integrity and reliability, ensuring, directly or indirectly through the use of services provided by third-party ICT service providers, the full range of ICT capabilities necessary to guarantee the security of the information and network systems used by the financial entity, on which the continuous provision of financial services and their quality depend, even in the event of disruptions.”

In order to achieve a common and adequate level of operational and digital resilience, DORA establishes a series of obligations for entities within its scope, which cover 5 specific areas:

1. ICT and Cyber Risk Management: A harmonized framework for governance and ICT control is introduced, in continuity with the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04), including an ICT risk management assessment to be documented and reviewed at least annually. The ICT risk tolerance level is also established, in accordance with the financial entity’s risk appetite.
2. ICT and Cyber Incident Management (Incident Reporting): Harmonized processes and criteria are introduced for the classification, registration, and management of ICT incidents and cyber threats, as well as reporting obligations for severe ICT incidents and procedures for the voluntary notification of significant cyber threats.
3. Digital Operational Resilience Testing: Advanced resilience testing of ICT systems is made mandatory (at least annually for all financial entities, and penetration testing based on threat models at least every 3 years for significant financial entities).
4. ICT Risk Management Related to Third-Party ICT Service Providers: Financial entities are subject to controls in line with those outlined in the EBA Guidelines on outsourcing (EBA/GL/2019/02). A European oversight regime is introduced for critical ICT providers. Specific obligations related to contractual agreements between third-party ICT service providers and financial entities are also foreseen.
5. Information Sharing (Infosharing): Voluntary information-sharing mechanisms at the Union level are promoted to help the financial sector community prevent and collectively respond to cyber threats, rapidly containing the spread of cyber risks and preventing potential contagion through financial channels.

Additionally, DORA introduces rules:

– for the establishment and implementation of a supervisory framework for financial entities regarding the use of ICT tools and for critical third-party ICT service providers when these provide services to financial entities.

– on cooperation between competent authorities regarding the supervision of the use of ICT tools.

5. As part of the overall risk management system (the first pillar), financial entities must establish a solid, comprehensive, and adequately documented framework for managing ICT risks, allowing them to address these risks quickly, efficiently, and comprehensively, ensuring a high level of digital operational resilience.

The framework for managing ICT risks includes at least the strategies, policies, procedures, protocols, and tools necessary for protecting all information assets and ICT resources, including software, hardware, and servers, as well as all relevant physical infrastructures and components, such as facilities, data processing centers, and designated sensitive areas. This ensures that all information assets and ICT resources are adequately protected against risks, including damage and unauthorized access or use (Article 6, paragraphs 1 and 2).

The management of ICT risks involves six key actions:

• Identification (Article 8): (Business functions supported, information assets, network and ICT resources, physical facilities, hardware and software, sources of risk, ICT system configurations, and interconnections with internal and external systems).
• Protection and Prevention (Article 9): (Adoption of policies, procedures, and protocols aimed at achieving digital resilience and maintaining, through a risk-based approach, high standards of availability, authenticity, integrity, and confidentiality of data).
• Detection (Article 10): (Identification of abnormal activities, cyberattacks, incidents, and vulnerabilities through continuous monitoring and the implementation of multiple control levels that define alarm thresholds and criteria for activating responses).
• Response and Recovery (Articles 11–12): (Development of a specific business continuity policy, which is part of the financial entity’s general continuity policy, ensuring/foreseeing: secure and segregated backup procedures, ICT operational continuity for essential or important functions, ICT emergency recovery plans, preliminary impact, damage, and loss assessments, and ICT crisis communication and management actions).
• Learning and Improving (Article 13): (Obligations related to:

– Gathering information on vulnerabilities and cyber threats

– Post-incident reviews following significant ICT disruptions

– Analysis of the causes of disruptions and evaluation of the response to the incident

– Annual reporting to management

– ICT security awareness and training programs).

• Communication (Article 14): (Preparation of communication plans for internal staff, customers, counterparties, and the public during crises (in addition to communications with Authorities); at least one dedicated resource for implementing the public and media communication strategy for ICT-related incidents).

6. This second pillar consists of obligations related to:

• Establishing and implementing a process to identify, record, monitor, and manage significant cyber threats and ICT incidents.
• Classifying ICT incidents based on the criteria detailed in the regulation, and further detailed by European supervisory authorities (such as the number or significance of affected clients and counterparties, duration, geographical scope of the incident, data loss or corruption, criticality of impacted services, and resulting economic impact).
• Reporting significant ICT-related incidents to the competent authorities (through an initial notification, an interim report, and a final report, when the root cause analysis has been completed, regardless of whether mitigation measures have already been implemented, and when actual impact data is available instead of estimates). Also, voluntary notification of significant cyber threats.
• Informing clients, without undue delay and as soon as they become aware, of ICT incidents that may impact their financial interests, and providing information about the measures adopted to mitigate the adverse effects of the incident.

The competent authority, after receiving the incident reports, acknowledges receipt and may, where feasible, promptly provide relevant and proportional feedback or high-level guidance to the financial entity, particularly by making available anonymized data and information on similar threats. It may also discuss remedies applied at the financial entity level and methods to minimize and mitigate the adverse effects within the financial sector (Article 22).

Additionally, European Authorities are expected to:

– Draft regulatory technical standards and implementing technical standards to establish the content of reports, common reporting templates, and harmonized procedures (Article 20).

– Prepare a joint report assessing the feasibility of further centralizing incident reporting through the establishment of a single EU hub for reporting significant ICT-related incidents by financial entities (Article 21).

7. The third pillar of DORA involves the mandatory annual performance of advanced operational resilience tests for ICT systems supporting essential or critical functions, carried out by independent parties (internal or external to the entity) (Article 24).

This is divided into:

a) Basic Testing (Article 25): to be conducted by all financial entities (in the form of vulnerability assessments and scanning, open-source analysis, network security evaluation, gap analysis, physical security exams, questionnaires, software scanning solutions, source code exams, where feasible, scenario-based testing, compatibility testing, performance testing, end-to-end testing, and penetration testing).

b) Advanced Testing (Article 26): to be conducted only by financial entities identified as significant by the competent authorities (in the form of penetration testing, at least every three years).

8. The fourth pillar of DORA consists of provisions relating to the relationships that financial entities establish with critical third-party ICT service providers, as well as the specific oversight regime introduced for them.

In particular, these provisions pertain to:

a) General Principles Regarding Third-Party Providers (Article 28) that consist in:

• Full responsibility of financial entities even in the case of outsourcing
• Proportionality
• Risk strategy for ICT risks arising from third parties
• Registry of information on all contractual agreements for ICT services provided by third parties
• Documentation and archiving of contracts related to ICT services provided by third parties (distinguishing between essential and important functions and other services)
• Safeguarding principles pre-contract (supplier evaluation and quality standards, risk and conflict of interest assessment, compliance with supervisory conditions), during the contract (access, checks, inspections, audits, and updates), and post-contract (rules regarding termination, resolution, and service continuity)

In the preliminary evaluation, consideration is also given (including any alternative solutions) to the risk of concentration of ICT services supporting essential and important functions (Article 29), with regard to: a) the conclusion of a contract with a third-party ICT provider that is not easily replaceable; b) the existence of multiple contracts for ICT services with the same third-party provider or with closely connected third-party providers; c) where the contract allows for subcontracting, the risks and benefits associated with this (especially if the subcontractor is located in a third country) and the potential impact on the financial entity’s ability to monitor potentially long and complex subcontracting chains.

b) Contract Formation and their Minimum Content (Article 30) (Delegated Regulation 2024/1773) with:

• Description of all functions and services, service levels, and any subcontracting.
• Indication of the locations where data will be stored and processed.
• Clauses related to accessibility, availability, integrity, security, and protection of data.
• Full description of the service (including related updates and revisions with specific quantitative and qualitative performance objectives).
• Notification periods and reporting obligations of the third-party provider.
• Obligation for the third-party provider to assist and cooperate fully with competent authorities.
• Obligation for the third-party ICT service provider to implement and test emergency operational plans and to establish measures, tools, and policies for ICT security.
• Right to monitor (access, inspection, and audits by the financial entity—or by a designated third party).
• Right of withdrawal and exit and migration strategies.

The third kind of provisions concern the

c) Establishment of an Oversight Framework for Critical Third-Party ICT Providers (following their identification) (Articles 31 – 44)  that see Joint Committee of ESA as the main Authority.

9. The fifth pillar of DORA consists of voluntary information-sharing mechanisms and the analysis of cyber threats, aimed at enhancing the digital operational resilience of financial entities, particularly by increasing awareness of cyber threats, containing or inhibiting the spread of such threats, supporting defense capabilities, threat detection techniques, mitigation policies, and response and recovery phases (Article 45).

These mechanisms are characterized by:

• Voluntary participation by financial entities.
• Protection of the sensitive nature of shared information.
• Notification of participation to the competent authorities.
• Possible participation of the competent authorities, including through specifically created sharing platforms.

1. Pattison, Andrew. A Guide to the EU Digital Operational Resilience Act. Walter de Gruyter. ISBN 9781787784536.
2. ^ Rodenburg-Luitse, Willemijn (2023-01-25). “EU neemt met Dora baanbrekende it-wetgeving aan”. Computable.nl (in Dutch). Retrieved 2024-05-21.
3. ^ “Exploring DORA’s Impact on Pension Schemes”. Mason Hayes Curran. Retrieved 12 December 2024.

Author

* Marco Sepe is Full professor of Economic Law at Unitelma Sapienza University of Rome