What is DORA?
DORA (Digital Operational Resilience Act) sets out a harmonised approach to digital operational resilience across the EU’s financial sector.
Under DORA, financial entities are required to:
- Implement an internal governance and control framework to manage ICT risk. This must be backed up by an incident management process and testing of ICT technologies; and
- Ensure that contracts with third-party ICT suppliers provide suitable assurance of their information security.
Who does DORA apply to?
DORA applies to the EU’s financial sector and suppliers of ICT services to that sector – wherever those suppliers are based. Financial entities covered by the regulation include:
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
- Investment firms
What are the requirements of DORA?
DORA outlines requirements for:
- ICT risk management;
- Incident reporting;
- Digital operational resilience testing;
- Information sharing; and
- Third-party risk management.
It also covers:
- Contractual arrangements between financial entities and ICT third-party service providers;
- An oversight framework for critical ICT third-party service providers; and
- Cooperation among supervisory authorities, and supervision/enforcement rules.
Additional technical details will be provided by the European supervisory authorities (EBA, EIOPA, ESMA). Until then, refer to the DORA regulation for comprehensive information on expected requirements.
How do I comply with DORA?
Explore the essential steps to navigate DORA compliance.
Training
Certified DORA Foundation Training Course
Certified DORA Practitioner Training Course
Certified DORA Compliance Officer Training Course
Certified ISO 27005 ISMS Risk Management Training Course
Certified DORA Lead Auditor Training Course
Managing Cyber Security Risk Training Course
Consultancy
DORA compliance consultancy services
Free resources
Blogs
Risk Management under the DORA Regulation
“The financial sector is quite heavily regulated, and involves a lot of confidential data. You’d therefore expect that the sector fares better at data security than your average organisation…”
Expert Insight: Cliff Martin
“Cliff Martin is the head of cyber incident response within GRCI Law. We sat down to talk to him about the second core requirement of DORA: incident management. For more details on…”
The Third-Party Threat for Financial Organisations
“Our research for November 2023 found that 48% of the month’s incidents originated from the supply chain (i.e. were third-party attacks). For Europe, this number rises to 61%…”