Digital Operational Resilience Act (DORA)

Status: In force

Since 16 January 2023
Applies since 17 January 2025

Summary

DORA marks a cornerstone of the EU financial regulatory framework by introducing a comprehensive set of rules concerning the risk management of financial sector firms in the context of information and communications technologies (ICT) to strengthen their digital operational resilience and mitigate cyber threats.

Scope

DORA applies to ‘financial entities’ and ‘ICT third-party service providers’. Financial entities include more traditional financial entities (e.g., banks, investment firms and insurance undertakings) but also fintechs (e.g., crypto-asset service providers and crowdfunding service providers). ICT third-party service providers are undertakings providing digital and data services through ICT systems to users on an ongoing basis, including hardware as a service and hardware services (which includes the provision of technical support via software or firmware updates by the hardware provider), excluding traditional analogue telephone services.

Key elements

ICT risk management: obligation for financial entities to have an internal governance and control framework according to the three lines of defence (or another internal) model, with a dedicated ICT risk control function and clear roles, responsibilities and reporting lines, to effectively address ICT risks; this includes a well-documented ICT risk management framework comprising strategies, policies, procedures, systems, protocols and tools to adequately protect information assets and ICT assets as well as to identify, respond to, recover from and learn from ICT-related incidents, cyber threats and ICT vulnerabilities
ICT-related incident management and reporting: obligation for financial entities to set up processes to detect, record, categorise, manage and notify ICT-related incidents and certain cyber threats; at least major ICT-related incidents and significant cyber threats must be reported to affected clients and, in the case of major ICT-related incidents, to competent authorities
Digital operational resilience testing: obligation for financial entities to establish, maintain and review a sound and comprehensive digital operational resilience testing programme that includes (in respect of ICT systems and applications supporting critical or important functions: at least annual) testing of ICT tools and systems by independent internal or external testers and follow-ups on revealed weaknesses, deficiencies or gaps; for selected financial entities, such as those which play a critical role in the financial system, this includes additional threat-led penetration testing at least all three years
ICT third-party risk management: obligation for financial entities to manage ICT third-party risk as an integral component of ICT risk, including to adopt and regularly review a strategy on ICT third-party risk, to maintain and update a register of information relating to all contractual arrangements on the use of ICT services provided by ICT third-party service providers, to annually report certain information on such arrangements and providers to competent authorities, to inform competent authorities about any planned contractual arrangement on the use of ICT services supporting critical or important functions, to undertake risk assessments both at entity level and related to specific contractual arrangements with ICT third-party service providers before entering into them, and to include certain minimum terms in such contractual agreements (which also implies adapting existing agreements)
Oversight framework of critical ICT third-party service providers: ICT third-party service providers which are designated as ‘critical’, particularly because of their systemic relevance, are placed under direct oversight of a supervisory authority (so-called ‘Lead Overseer’) which has the right to assess the rules, procedures, mechanisms and arrangements which the critical ICT third-party service providers have in place to manage the ICT risk which they may pose to financial entities, to request all relevant information and documentation it deems necessary for the performance of its duties, to conduct general investigations and inspections, to request reports and to issue recommendations, such as on ICT security and quality, the use of terms and conditions and subcontracting; financial entities shall only make use of the services of a critical ICT third-party service provider established in a third country if the latter has established a subsidiary in the EU within the 12 months following the designation as ‘critical’

Enforcement

Financial entities: EU member states must lay down rules establishing appropriate administrative penalties and remedial measures and may additionally impose criminal penalties for breaches of DORA; ‘naming and shaming’
Critical ICT third-party service providers: periodic penalty payments on a daily basis up to 1 % of the average daily worldwide turnover; ‘naming and shaming’; decisions requiring financial entities to temporarily suspend the use or deployment of a service provided by a critical ICT third-party service provider and/or to terminate the relevant contractual arrangement

Challenges

Scoping to be carried out in respect of financial entities and ICT third-party service providers (often involving fact finding/due diligence, especially in a group context)
Testing programmes for ICT tools and systems to be adjusted, including preparing for Threat-Led Penetration Testing (TLPT), aligning with involved ICT third-party service providers on liability and ensuring data confidentiality, especially in multi-client environments
Identification and classification of ICT-supported business functions, information assets and ICT assets as well as assessment of ICT risks, cyber threats and ICT vulnerabilities required
Gap analysis regarding, and potentially far-reaching adaptations/enhancements to, ICT risk management frameworks needed, including with a view to the organisational and technical set-up (ICT solutions and processes), ICT-related incident management and reporting systems, digital operational resilience testing programmes and ICT third-party risk management
Outsourcing and other ICT service-related agreements to be identified, reviewed and renegotiated
Comprehensive documentation to be in place to be able to demonstrate compliance: strategies, policies, plans and registers with minimum content as set out in DORA and comprehensive 2^nd level acts
Senior management buy-in recommended, also in light of accountability: management body is ultimately responsible for managing ICT risk
Appropriate budget, resources and training to be ensured
Careful assessment of the interplay with other legal acts (e.g., NIS2, GDPR) required

Blogs

Jan 31 2025

ICT services amongst financial entities - EU Commission clarifies scope of DORA’s ICT third-party risk management obligations

With the Digital Operational Resilience Act (DORA), the EU has set new standards for managing ICT risk in the financial sector. It not...

Nov 22 2022

DORA: a cornerstone of the EU regulatory framework close to final

The EU Parliament recently adopted the Digital Operational Resilience Act (DORA) and the directive on digital operational resilience with...

Contacts

Düsseldorf, Frankfurt am Main

Theresa EhlenPartner

Düsseldorf

Christoph WerkmeisterPartner

Frankfurt am Main

Alexander GlosPartner & Co-head Financial Institutions Group

Frankfurt am Main

Janina HeinzPartner

Vienna

Eva SchneiderPrincipal Associate

Frankfurt am Main

Daniel KlingenbrunnPrincipal Associate

Related capabilities

Artificial intelligence Automotive Data, privacy and cyber security Fintech Industrials Life sciences Technology

Related capabilities

Status: In force

Since 16 January 2023
Applies since 17 January 2025

Summary

Scope

Key elements

ICT risk management: obligation for financial entities to have an internal governance and control framework according to the three lines of defence (or another internal) model, with a dedicated ICT risk control function and clear roles, responsibilities and reporting lines, to effectively address ICT risks; this includes a well-documented ICT risk management framework comprising strategies, policies, procedures, systems, protocols and tools to adequately protect information assets and ICT assets as well as to identify, respond to, recover from and learn from ICT-related incidents, cyber threats and ICT vulnerabilities
ICT-related incident management and reporting: obligation for financial entities to set up processes to detect, record, categorise, manage and notify ICT-related incidents and certain cyber threats; at least major ICT-related incidents and significant cyber threats must be reported to affected clients and, in the case of major ICT-related incidents, to competent authorities
Digital operational resilience testing: obligation for financial entities to establish, maintain and review a sound and comprehensive digital operational resilience testing programme that includes (in respect of ICT systems and applications supporting critical or important functions: at least annual) testing of ICT tools and systems by independent internal or external testers and follow-ups on revealed weaknesses, deficiencies or gaps; for selected financial entities, such as those which play a critical role in the financial system, this includes additional threat-led penetration testing at least all three years
ICT third-party risk management: obligation for financial entities to manage ICT third-party risk as an integral component of ICT risk, including to adopt and regularly review a strategy on ICT third-party risk, to maintain and update a register of information relating to all contractual arrangements on the use of ICT services provided by ICT third-party service providers, to annually report certain information on such arrangements and providers to competent authorities, to inform competent authorities about any planned contractual arrangement on the use of ICT services supporting critical or important functions, to undertake risk assessments both at entity level and related to specific contractual arrangements with ICT third-party service providers before entering into them, and to include certain minimum terms in such contractual agreements (which also implies adapting existing agreements)
Oversight framework of critical ICT third-party service providers: ICT third-party service providers which are designated as ‘critical’, particularly because of their systemic relevance, are placed under direct oversight of a supervisory authority (so-called ‘Lead Overseer’) which has the right to assess the rules, procedures, mechanisms and arrangements which the critical ICT third-party service providers have in place to manage the ICT risk which they may pose to financial entities, to request all relevant information and documentation it deems necessary for the performance of its duties, to conduct general investigations and inspections, to request reports and to issue recommendations, such as on ICT security and quality, the use of terms and conditions and subcontracting; financial entities shall only make use of the services of a critical ICT third-party service provider established in a third country if the latter has established a subsidiary in the EU within the 12 months following the designation as ‘critical’

Enforcement

Financial entities: EU member states must lay down rules establishing appropriate administrative penalties and remedial measures and may additionally impose criminal penalties for breaches of DORA; ‘naming and shaming’
Critical ICT third-party service providers: periodic penalty payments on a daily basis up to 1 % of the average daily worldwide turnover; ‘naming and shaming’; decisions requiring financial entities to temporarily suspend the use or deployment of a service provided by a critical ICT third-party service provider and/or to terminate the relevant contractual arrangement

Challenges

Scoping to be carried out in respect of financial entities and ICT third-party service providers (often involving fact finding/due diligence, especially in a group context)
Testing programmes for ICT tools and systems to be adjusted, including preparing for Threat-Led Penetration Testing (TLPT), aligning with involved ICT third-party service providers on liability and ensuring data confidentiality, especially in multi-client environments
Identification and classification of ICT-supported business functions, information assets and ICT assets as well as assessment of ICT risks, cyber threats and ICT vulnerabilities required
Gap analysis regarding, and potentially far-reaching adaptations/enhancements to, ICT risk management frameworks needed, including with a view to the organisational and technical set-up (ICT solutions and processes), ICT-related incident management and reporting systems, digital operational resilience testing programmes and ICT third-party risk management
Outsourcing and other ICT service-related agreements to be identified, reviewed and renegotiated
Comprehensive documentation to be in place to be able to demonstrate compliance: strategies, policies, plans and registers with minimum content as set out in DORA and comprehensive 2^nd level acts
Senior management buy-in recommended, also in light of accountability: management body is ultimately responsible for managing ICT risk
Appropriate budget, resources and training to be ensured
Careful assessment of the interplay with other legal acts (e.g., NIS2, GDPR) required