The Digital Operational Resilience Act (DORA) is a new regulation that aims to strengthen the information and communication technology (ICT) security of financial entities in the European Union (EU). It was published in the Official Journal of the EU on 27 December 2022 and will enter into force on 16 January 2023. It will apply to a range of financial entities, including credit institutions, investment firms, central securities depositories, central counter parties, trading venues, benchmark administrators, fund management companies, insurance and reinsurance undertakings, insurance intermediaries, payment institutions, electronic money institutions, crypto-asset service providers, issuers of asset-referenced tokens, and crowdfunding service providers. There are limited exclusions for smaller firms, and DORA will also apply to third-party ICT service providers such as cloud platforms and data analytics providers.

The main objective of DORA is to prevent and mitigate cyber threats and ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It aims to achieve a high level of digital operational resilience across all EU member states. To this end, DORA imposes uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. This includes requirements for ICT risk management, ICT-related incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures for the management of ICT third-party risk. Firms will be required to conduct concentration risk assessments of all outsourcing arrangements relating to the delivery of critical or important functions, and the competent authority will have the power to order a firm to suspend or terminate a contract with a critical ICT third-party service provider as a measure of last resort.

Certain third-party ICT service providers that are designated as "critical" by the European Supervisory Authorities (ESAs) will be subject to a new oversight framework. This will bring these firms within the regulatory perimeter for the first time and subject them to supervisory powers. The ESAs will assess whether each critical ICT third-party service provider has comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements in place to manage cyber risk.
Empty space, drag to resize
Empty space, drag to resize

Who does DORA apply to:

  • credit institutions   
  • payment institutions 
  • account information service providers   
  • electronic money institutions   
  • investment firms
  • crypto-asset service providers    
  • central securities depositories    
  • central counterparties
  • trading venues 
  • trade repositories   
  • managers of alternative investment funds
  • management companies
  • data reporting service providers 
  • insurance and reinsurance undertakings
  • insurance intermediaries 
  • reinsurance intermediaries
  • institutions for occupational
  • retirement provision 
  • credit rating agencies
  • administrators of critical benchmarks  
  • crowdfunding service providers 
  •  securitisation repositories ·    
  •  ICT third-party service providers

What are the key dates?  

They key "DORA Dates and Milestones" are as follows. The Digital Operational Resilience Act, was published in the Official Journal of the European Union on December 27, 2022. It will enter into force on January 16, 2023 and will apply from January 17, 2025.

The ESAs (European Supervisory Authorities) have been tasked with developing technical standards (Level 2 rules) that will be applicable to all financial entities within the scope of DORA. These technical standards are expected to be adopted by the end of 2024. Firms should begin preparing for DORA now in order to ensure compliance when it comes into effect.

What do the fines look like?

In relation to financial penalties, entities found to be in violation of the Act's requirements may face fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a maximum fine of EUR 1,000,000. The amount of the fine will depend on the severity of the violation and the financial entity's cooperation with authorities.

Financial entities that fail to report major ICT-related incidents or significant cyber threats as required under DORA may also face fines. Third-party ICT service providers designated as "critical" by the European Supervisory Authorities (ESAs) may face fines of up to EUR 5,000,000 or, in the case of an individual, a maximum fine of EUR 500,000 for non-compliance with the Act's requirements. The ESAs will have the authority to impose these fines.

What should I do?

Get DORA Certified Training –

Paul C Dwyer is the  ICTTF President, recognised as one of the world’s foremost experts on cyber security, risk and privacy.
Connect to Paul here.