EU's Digital Operational Resilience Act (DORA) comes into force

DORA establishes a comprehensive EU-wide regulatory framework designed to address fragmented and sector-specific rules on digital operational resilience. At the time of writing, financial institutions operate under various regulations, including MiFID II, CRD, PSD2, and guidelines from the European Supervisory Authorities (ESAs). However, inconsistencies in application and the non-binding nature of some guidelines have created regulatory uncertainty. 

DORA aims to resolve these issues by providing a unified set of requirements, improving regulatory clarity and ensuring better operational resilience in the financial sector. 

The regulation imposes obligations on a wide range of financial entities, including banks, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, and central securities depositories. It also applies to insurance and reinsurance undertakings, managers of alternative investment funds and UCITS management companies, as well as credit rating agencies and crowdfunding service providers. 

DORA also extends to non-financial entities, particularly providers of ICT services to financial institutions. The extent of their obligations depends on whether they are classified as critical third-party providers (CTPPs) under the new framework.

Requirements for financial entities

Financial institutions under DORA must implement measures to enhance operational resilience, including: 

• Establishing internal ICT risk management frameworks with detailed policies and procedures. 
• Conducting risk identification, management, and reporting processes. 
• Performing resilience testing, such as threat-led penetration testing for larger entities. 
• Managing ICT risks associated with third-party providers and ensuring compliance with updated contractual obligations.

Impact on ICT Service Providers 

ICT service providers are affected in two main ways: 

• Critical providers: entities deemed critical will fall under direct supervision by ESAs, which can conduct inspections, impose fines, and enforce compliance. This regulatory approach is in line with the General Data Protection Regulation (GDPR) in its oversight and penalty mechanisms. 
• Non-critical providers: while not directly supervised, these providers must comply with contractual obligations imposed by financial institutions, which are revising agreements to meet DORA standards. 

Both financial entities and ICT service providers must take proactive steps to meet DORA requirements. For financial entities, this includes conducting gap analyses, aligning internal frameworks with the new rules, and renegotiating contracts with service providers. ICT service providers, particularly those anticipating designation as critical, should also revise agreements and prepare for increased scrutiny from clients and regulators.