The Digital Operational Resilience Act (DORA) is a new regulation that aims to strengthen the information and communication technology (ICT) security of financial entities in the European Union (EU). It was published in the Official Journal of the EU on 27 December 2022 and will enter into force on 16 January 2023. It will apply to a range of financial entities, including credit institutions, investment firms, central securities depositories, central counter parties, trading venues, benchmark administrators, fund management companies, insurance and reinsurance undertakings, insurance intermediaries, payment institutions, electronic money institutions, crypto-asset service providers, issuers of asset-referenced tokens, and crowdfunding service providers. There are limited exclusions for smaller firms, and DORA will also apply to third-party ICT service providers such as cloud platforms and data analytics providers.
The main objective of DORA is to prevent and mitigate cyber threats and ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It aims to achieve a high level of digital operational resilience across all EU member states. To this end, DORA imposes uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. This includes requirements for ICT risk management, ICT-related incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures for the management of ICT third-party risk. Firms will be required to conduct concentration risk assessments of all outsourcing arrangements relating to the delivery of critical or important functions, and the competent authority will have the power to order a firm to suspend or terminate a contract with a critical ICT third-party service provider as a measure of last resort.
Certain third-party ICT service providers that are designated as "critical" by the European Supervisory Authorities (ESAs) will be subject to a new oversight framework. This will bring these firms within the regulatory perimeter for the first time and subject them to supervisory powers. The ESAs will assess whether each critical ICT third-party service provider has comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements in place to manage cyber risk.