Digital Operational Resilience Act (DORA)

Description

The Digital Operational Resilience Act (DORA) is a regulatory framework proposed by the European Commission to enhance the operational resilience of the financial sector in the European Union. DORA aims to ensure that financial institutions, including banks and market infrastructure providers, have robust cybersecurity measures in place to withstand and recover from cyberattacks and other operational disruptions. It sets out requirements for risk management, incident reporting, and cooperation between regulatory authorities to safeguard the stability of the financial system in the digital age.

Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience. DORA will apply to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and re-insurance undertakings. After DORA, they must also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is “adequate” capital for the traditional risk categories. Remember, the Digital Operational Resilience Act (DORA) is a Regulation, not a Directive, so it is binding in its entirety and directly applicable in all EU Member States.