The Digital Operational Resilience Act (DORA) is a regulation that was recently introduced by the European Union to strengthen the IT security of financial entities such as banks, insurance companies, and investment firms. The act aims to ensure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption. It will apply from January 17, 2025, and will bring harmonization of the rules relating to operational resilience for the financial sector applying to 20 different types of financial entities and ICT third-party service providers.
The financial sector is increasingly dependent on technology and on tech companies to deliver financial services. This makes financial entities vulnerable to cyber-attacks or incidents. When not managed properly, ICT risks can lead to disruptions of financial services offered across borders. This in turn, can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.
The act covers a wide range of topics, including ICT risk management, ICT third-party risk management, digital operational resilience testing, ICT-related incidents, information sharing, and oversight of critical third-party providers. The three European Supervisory Authorities (the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA)) are preparing a set of policy products to enable the application of DORA.