Frequently Asked Questions

What is the Digital Operational Resilience Act (DORA)?

The Digital Operational Resilience Act is an EU regulation designed to ensure that financial institutions can withstand and recover from disruptions caused by information and communication technology (ICT) failures.

Who is affected by DORA?

DORA applies to financial institutions such as banks, insurance companies, investment firms, as well as critical third-party service providers like cloud providers and ICT suppliers.

Why was DORA introduced?

DORA was introduced to address growing cyber threats and ICT risks within the financial sector and to create a harmonized approach to ICT risk management across the EU.

When does DORA come into effect?

DORA was adopted in November 2022, and financial entities must be fully compliant by January 17, 2025.

What are the main goals of DORA?

The main goals are to enhance ICT resilience, reduce the impact of cyber threats, standardize ICT risk management practices, and ensure the safety of the EU financial system.

What are the key requirements under DORA?

Key requirements include having an ICT risk management framework, testing digital resilience regularly, incident reporting, and overseeing third-party service providers effectively.

What happens if a financial institution does not comply with DORA?

Non-compliance with DORA can lead to regulatory fines of up to 2% of global annual turnover or up to 1 million euros for individuals. Critical third-party providers face even higher fines for noncompliance - up to 5 million euros or, for an individual, a fine of up to 500,000 euros.

How does DORA define ICT risks?

ICT risks refer to risks related to the disruption or failure of information systems due to cyberattacks, system outages, or technical issues.

What are financial institutions required to do to manage ICT risks?

Institutions are required to develop, implement, and maintain an ICT risk management framework that addresses risk identification, protection, detection, response, and recovery.

How does DORA affect third-party service providers?

DORA places strict regulations on critical third-party service providers, including cloud and ICT service providers, requiring them to meet stringent resilience standards and undergo regular testing and audits.

What are the incident reporting requirements under DORA?

Financial institutions must report significant ICT-related incidents to the relevant supervisory authorities within a set time frame, with detailed information on the incident and mitigation efforts.

How often must financial institutions test their resilience?

Financial institutions are required to conduct regular tests, including penetration testing, vulnerability assessments, and scenario-based stress testing to ensure they can withstand cyber threats.

What is the role of the European Supervisory Authorities (ESAs) under DORA?

The ESAs are responsible for overseeing compliance, issuing guidelines, and ensuring that all financial entities and third-party service providers meet DORA's requirements.

What is a critical third-party ICT service provider under DORA?

A critical third-party service provider is any external entity, such as a cloud or ICT provider, whose services are essential for the operations of financial institutions, and whose failure could significantly impact those institutions.

What is an ICT risk management framework?

An ICT risk management framework is a set of processes and policies designed to identify, manage, and mitigate risks related to information and communication technology, ensuring operational continuity.

How does DORA ensure harmonization across the EU?

DORA establishes a uniform set of rules for ICT risk management and digital resilience, eliminating fragmentation across EU member states and ensuring consistent practices across the financial sector.

What are the key milestones for DORA compliance?

Key milestones include assessing current ICT frameworks, enhancing cybersecurity, establishing incident reporting mechanisms, and completing full compliance by January 17, 2025.

How can financial institutions prepare for DORA?

Financial institutions should start by conducting a gap analysis to assess their current ICT risk management practices, enhancing resilience testing, reviewing third-party contracts, and implementing any necessary changes to align with DORA. This is made simple with DORAedge - join the waitlist now to be amongst the first to get access to the tool.

What role do cloud service providers play under DORA?

Cloud service providers are considered critical third-party providers under DORA, and they must meet specific requirements for digital resilience, oversight, and reporting to support financial institutions' compliance.

How does DORA improve cybersecurity in the financial sector?

DORA requires institutions to adopt stronger cybersecurity measures, including continuous monitoring, incident detection, response plans, and collaboration with supervisory authorities to mitigate risks effectively.