Digital Operational Resilience Act (DORA) Legislation

In November 2022, the European Union (EU) adopted the Digital Operational Resilience Act (DORA) – an innovative regulatory framework that addresses risks posed by the digital transformation of financial services as well as the increase in volume and severity of cyber attacks within the sector. DORA has since entered into force at the start of 2023, and became applicable on 17 January 2025, date since when financial entities are expected to be compliant.

DORA is based on five pillars impacting financial entities:

1. The management of risks related to Information and Communication Technologies (ICT)

2. The management of incidents related to ICT

3. The testing of their digital operational resilience

4. The management of risks related to third-party service providers providing ICT services

5. Information-sharing arrangements

Additionally, under the 4th pillar, DORA provides how competent authorities will conduct the oversight of ICT third-party service providers designated as "Critical" for the financial sector at European level.

DORA is also a full package of 10 delegated acts (RTS), 2 implementing acts (ITS), and guidelines, that complete the Regulation, showing the broad coverage, granularity, and complexity of the framework applicable to the financial entities.

ICT risk management framework:

Under DORA, financial entities are required to set up a comprehensive ICT Risk Management Framework (ICT-RMF), which include over 20 policy and procedures expected from the regulator, from ICT asset management to information security, including also HR, access management, or vulnerability and patch management as well. The framework also extends to additional exercises and assessments, that require the creation of new methodologies, as well as documentation and review obligations for the financial entities.

• To manage their ICT risks effectively, financial entities are also required to maintain a comprehensive view on its own functioning and capabilities, with an established architecture of their functions, including the identification of critical or important functions (CIF), the distribution of roles and responsibilities, the information assets used and processed, and the supporting technology assets.

• Entities are also expected to bring a culture of risk to the ICT domain, by ensuring their risk framework is sufficiently adapted and inclusive of ICT-specific aspects and included in their risk appetite considerations. This also includes the management body, which becomes more aware of ICT topics and their related risk, in order to be able to take decisions - the ICT domain is no longer delegated to the sole control or supervision of the IT department.

• Operational resilience and ICT risk become a key component of the functioning of financial entities, integrated in their longer-term development vision under a Digital Operational Resilience Strategy their senior management has to develop and approve to give the impulse necessary for greater ICT risk management practice.

• An ICT risk control function becomes mandatory for all financial entities, to ensure sufficient knowledge and expertise within the entities to control and review the management of ICT risks.

• A new ICT risk report is also foreseen, which will have to be submitted to the authorities upon their request, or reviewed in case of major incident, containing information on the way ICT risks have been managed, as well as incidents or changes, over the covered period.

In order to meet these requirements, financial entities will therefore need to expand their existing resilience capabilities, clearly articulate their risk appetite for disruption, especially across CIFs, and adequately understand the interconnections between their delivery services and their ICT assets, processes and systems.

ICT incident classification and reporting:

Under DORA, financial entities will be are subject to a novel classification, notification and reporting framework on ICT-related incidents. that will challenge existing collection, analysis and escalation processes within financial entities. As part of this novel framework and in line with the draft RTS, financial entities must:

• Develop a streamlined process to detect, record and classify all major ICT-related incidents and significant cyberthreats which require mature incident management capabilities in order to monitor, handle and resolve all incidents.

• Assess the impact of all ICT incidents and analyse their root causes. In particular, entities must now take into account the criteria provided by the European framework while assessing if the incident is major or not, thanks to a set of defined impact thresholds that will dictate whether the incidents needs to be notified or not to the competent authority.

• Particular attention is also brought to recurring incidents, for which dedicated measures must be defined to ensure their proper detection, resolution, and reporting as applicable.

• The notification of major incident to the competent authority is divided in three stages - initial, intermediary, final - each and every with their own report.

• The notification obligation also covers any relevant third-party and stakeholders. (clients, and other financial entities, suppliers, etc.) in the event of a major ICT-related incident and provide them with information on mitigation measures. In the case of significant cyberthreats, financial entities shall inform clients who might be affected and provide information on appropriate protection measures. It also means that financial entities must be organised and have the means and proper plans to organise such communication.

Obligations under DORA does not exclude other incident reporting obligations under relevant frameworks (e.g., GDPR, NIS 2, CERD, AI act).

Operational resilience testing:

DORA establishes digital operational resilience testing (ORT) requirements for financial entities, which will have to:

• Set up an annual testing and exercising program covering their tools and systems, using various and appropriate testing methodologies such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing.

• Annually conduct advanced security and resilience tests on critical ICT systems and applications, especially on those supporting critical or important functions.

• Promptly eliminate any vulnerabilities, deficiencies or gaps through the implementation of mitigating measures.

• For the entities and ICT third-party service providers designated by the authorities, periodically (at least every 3 years) conduct advanced Threat-Led Penetration Testing (TLPT). ICT third-party service providers supporting CIFS are required to participate and fully cooperate in these activities, something that is rarely done in exercises today.

In combination with the stringent BCM/DR requirements, ORT could evolve into a significant area of supervisory scrutiny and force financial entities to develop broader and more accurate testing and scenario analysis capabilities.

Third-party risk management:

Under DORA, financial entities are legally obliged to implement TPRM requirements, including:

• Putting in place a TPRM framework, with also a definition of dedicated roles and responsibilities.

• Ensuring the adequacy of the potential service providers, by performing due diligence to collect sufficient information and risk assessments to ensure the proper identification of risks linked to the provision of services by third parties and the effectiveness of controls and mitigation measures on each party's sides.

• Ensuring that the contracts with the ICT third-party providers contain all the necessary and binding contractual terms, including e.g., on audit and access rights, monitoring, subcontracting, or termination support. Where service providers do not want to cooperate and help the financial entity to comply, it puts at risk the financial entity, meaning the contractual relationship may need to be reconsidered and terminated, causing important operational and legal challenges.

• Monitoring the performance of their ICT third-party providers and conduct (on-site) audits on those supporting CIFs. It also mean having monitoring plans in place, agreeing on internal standards and defining KPIs that are adequate and can bring value when tracked, and organising internal roles and responsibilities and notably a dedicated function in the second Line of Defence controlling and ensuring the proper implementation of oversight activities.

• Notifying authorities in case of a new contractual arrangement for an ICT service supporting CIFs, considering the applicable local rules.

• Having an understanding of their dependencies on vendors by conducting concentration risk assessments, as well as on their capacity to take over the service internally, and of alternatives on the market, by drafting and testing exit strategies and plans of all outsourcing contracts that support the delivery of CIFs.

Additionally, under this pillar, European Supervisory Authorities review and analyse on a yearly basis the registers of information provided by financial entities in order to identify and designate Critical ICT third-party service providers (CTPPs). Once designated, these CTPPs become subject to the oversight of European Supervisory Authorities.

Cyberthreat intelligence and information sharing:

DORA allows financial entities to set up arrangements amongst themselves in order to exchange cyberthreat information. The supervisory authority will provide relevant anonymised information and intelligence on cyberthreats to financial entities. As such, financial entities should implement mechanisms to review and take action on the information shared by the authorities.

Portfolio

Showcasing my skills, education, and experiences online.

Connect

shubhamghotankar@gmail.com

+32 0465 86 03 92

© 2025. All rights reserved.