21 Analytics logo
Request a Demo

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA), part of the Digital Finance Package, was drafted on 24 September 2020 and will take effect on 17 January 2025. It applies to EU financial institutions and their ICT service providers.

DORA’s Objectives 

DORA has two main objectives:  

  • Enhance the financial sector's resilience to ICT-related incidents 

  • Harmonise risk management regulations across the EU. 

DORA’s Scope 

DORA applies to all financial institutions in the EU, covering traditional entities like banks and investment firms as well as non-traditional entities such as CASPs. 

DORA is not applicable to:

  • “managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU; 

  • insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC; 

  • institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total; 

  • natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU; 

  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises; 

  • post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU.”

[Source: Article 2 of the Digital Operational Resilience Act (Regulation (EU) 2022/2554)

DORA’s Pillars 

ICT Risk Management 

Chapter II (Articles 5 - 16) explains how DORA mandates entities establish a robust ICT risk management framework, including resilient systems, continuous threat identification, etc. 

Per DORA, the management body (board members) is responsible for developing business continuity and disaster recovery plans, setting risk tolerance levels, and implementing cybersecurity measures.

ICT-related Incident Reporting

In Chapter III (Articles 17, 23 and 24), DORA elaborates upon how entities must implement systems to monitor, manage, and report ICT-related incidents. Following the criteria set by relevant ESAs, incidents must be reported to authorities using standardised templates and coordinated procedures, including initial, intermediate, and final reports to regulators, clients, and partners.

Digital Operational Resilience Testing

Entities must routinely conduct tests to evaluate the security of their IT systems and data centres. DORA requires companies to create risk-focused programs to enhance their digital resilience.

Managing of ICT Third-party Risk 

DORA requires financial entities to standardise critical aspects of ICT third-party provider relationships, including detailed contracts and risk management strategies covering exit plans and performance targets.

Chapter V (Articles 28 - 44) discuss DORA’s requirements in further detail. 

Information Sharing

DORA requires financial entities to implement processes for learning from ICT-related incidents and encourages participation in voluntary threat intelligence sharing, ensuring data protection under guidelines like GDPR.

Timeline for DORA

Timeline for DORA

For a more in-depth explanation, see What Is the Digital Operational Resilience Act (DORA)?

OR 

Digital Operational Resilience Act (Regulation (EU) 2022/2554)

Back to Glossary
21 Analytics offers Software Solutions for Virtual Asset Service Providers.
Privacy Policy      Press
Poststrasse 22, Zug, Switzerland     |     info@21analytics.ch
Cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.
Accept