DORA: Regulation (EU) 2022/2554
The Digital Operational Resilience Act (DORA), formally known as Regulation (EU) 2022/2554, represents a landmark initiative in the European Union’s mission to ensure the financial sector’s resilience against digital threats and ICT disruptions.
Adopted on 27 December 2022, DORA establishes a harmonized and directly applicable framework for managing ICT risks across all EU Member States. Replacing fragmented national standards, DORA is integral to the EU’s broader strategy to enhance the digital operational resilience of financial entities, ensuring that the financial system remains robust against evolving cyber threats and technological challenges.
Recitals – Goals
The recitals of Regulation (EU) 2022/2554 (DORA) establish the rationale, objectives, and guiding principles of the regulation, which aims to strengthen the operational resilience of financial entities within the EU. Key points are summarized below:
1. Purpose and Context
- Digital Risks in Finance: Recognizes the critical role of ICT in financial operations and the growing risks of cyber threats and ICT disruptions.
- Harmonization: Addresses fragmented national approaches to ICT risk management by creating a unified EU framework.
- Global Leadership: Aligns EU standards with international benchmarks, particularly those set by the Financial Stability Board (FSB) and other global bodies.
2. Risk Management and Resilience
- Comprehensive Approach: Establishes a robust, principle-based framework covering risk identification, protection, detection, response, and recovery.
- Risk-Based Measures: Adopts a proportionate approach to ICT risk, with differentiated requirements for large, complex entities and smaller, simpler ones.
3. Oversight of Third-Party Providers
- Critical ICT Providers: Introduces an oversight mechanism for critical third-party ICT providers, addressing systemic risks from dependency and concentration.
- Service Accountability: Ensures financial entities remain responsible for outsourced ICT services, maintaining full compliance with DORA standards.
4. Incident Reporting
- Streamlined Processes: Harmonizes and simplifies the reporting of significant ICT-related incidents, ensuring swift and efficient handling.
- Cross-Sector Coordination: Encourages collaboration between Member States, EU bodies, and national authorities to strengthen cybersecurity resilience.
5. Integration with Existing Frameworks
- EU Alignment: Complements existing laws, such as the NIS Directive (cybersecurity) and GDPR (data protection), ensuring regulatory consistency.
- Standardization: Harmonizes operational resilience practices across financial entities to reduce duplication and inefficiencies.
6. Governance and Accountability
- Management Responsibility: Places ultimate responsibility for ICT risk management on the management bodies of financial entities.
- Training and Awareness: Promotes regular training and awareness to embed operational resilience into organizational culture.
7. Proportionality and Adaptability
- Tailored Requirements: Ensures proportionality, with lighter requirements for microenterprises and less complex entities.
- Dynamic Resilience: Encourages frameworks that evolve with technological advancements and emerging threats.
8. Transparency and Legal Certainty
- Clear Rules: Provides detailed and harmonized rules to ensure legal certainty for financial entities and supervisory authorities.
- Simplified Reporting: Reduces complexity in ICT-related incident reporting by integrating processes across sectors.
9. Entry into Force and Implementation
- Phased Rollout: Allows for a transitional period to enable financial entities to adapt their ICT frameworks to meet DORA’s requirements.
- Global Compatibility: Maintains consistency with international standards, ensuring competitiveness on a global scale.
Chapter I: General Provisions
Article 1: Subject Matter
Ensure your organization complies with rules enhancing digital operational resilience, focusing on ICT risk management and incident reporting frameworks.
Article 2: Scope
Verify whether your organization falls within the scope of DORA, including financial entities such as banks, insurers, and trading platforms.
Article 3: Definitions
Familiarize your team with DORA’s key terms, such as „ICT risk“ and „critical functions,“ to ensure consistent application across operations.
Article 4: Proportionality
Assess your organization’s size, complexity, and risk profile to apply DORA requirements proportionately.
Chapter II: ICT Risk Management
Section I
Article 5: Governance and Accountability
Establish a governance framework for ICT risk management. Assign clear accountability to senior management.
Section II
Article 6: ICT Risk Management Framework
Develop and implement an integrated framework to identify, assess, and mitigate ICT risks across your organization.
Article 7: ICT Systems, Tools, and Processes
Evaluate and document the security and resilience of ICT systems and tools used by your organization.
Article 8: Identification of ICT Risks
Maintain an inventory of ICT assets and dependencies. Conduct regular assessments to identify vulnerabilities and risks.
Article 9: Protection and Prevention
Deploy cybersecurity measures and monitoring controls to protect data integrity, confidentiality, and availability.
Article 10: Detection of Threats
Establish mechanisms to detect ICT incidents in real time. Integrate continuous monitoring and threat intelligence processes.
Article 11: Response and Recovery
Develop response and recovery plans to minimize the impact of ICT disruptions. Test plans regularly to ensure effectiveness.
Article 12: Backup Policies
Implement secure data backup and recovery procedures. Conduct regular tests to confirm reliability.
Article 13: Learning and Evolution
Review post-incident findings to identify areas for improvement. Update policies to address emerging ICT risks.
Article 14: Communication
Set up internal and external communication protocols for ICT incidents to ensure timely and transparent reporting.
Article 15: Further Provisions for ICT Risk Management
Address additional ICT risk management requirements specific to your organization’s complexity.
Article 16: Simplified ICT Risk Management
Identify if your organization qualifies for simplified ICT risk management provisions, such as for micro-enterprises.
Chapter III: ICT-Related Incident Reporting
Article 17: ICT-Related Incident Classification
Implement criteria to classify ICT incidents based on severity and potential impact.
Article 18: Classification of Major ICT Incidents
Establish thresholds for identifying significant ICT incidents requiring formal reporting.
Article 19: Reporting of Major ICT Incidents
Develop procedures for reporting major incidents, including timelines and content requirements.
Article 20: Harmonization of Reporting
Align your incident reporting practices with standardized EU requirements.
Article 21: Centralization of Incident Reporting
Prepare to centralize ICT incident reporting processes for enhanced regulatory oversight.
Article 22: Supervisory Feedback Mechanisms
Set up channels to receive and act on feedback from supervisory authorities regarding ICT incident reports.
Article 23: Operational or Security Payment-Related Incidents
Ensure payment-related incidents are reported in alignment with ICT incident reporting requirements.
Chapter IV: Digital Operational Resilience Testing
Article 24: General Provisions for Testing
Implement a comprehensive testing program for ICT systems and processes to evaluate operational resilience.
Article 25: Testing of ICT Systems
Conduct regular ICT testing, including vulnerability assessments and penetration tests, ensuring alignment with organizational risk profiles.
Article 26: Advanced Testing of ICT Systems
Perform advanced testing such as threat-led penetration testing (TLPT) for critical systems. Engage certified professionals to conduct tests.
Article 27: Requirements for Testers and Testing Methodologies
Ensure testers are qualified, independent, and comply with established methodologies. Document testing outcomes and remediation plans.
Chapter V: Managing ICT Third-Party Risk
Section I: Key Principles for ICT Third-Party Risk Management
Article 28: General Principles
Establish governance and oversight frameworks for managing ICT third-party dependencies and risks.
Article 29: Preliminary Assessments
Conduct risk assessments before engaging with ICT third-party service providers. Evaluate potential impacts on operational resilience.
Article 30: Key Contractual Requirements
Include mandatory contractual clauses for ICT service providers covering risk management, reporting, and compliance obligations.
Section II: Oversight Framework for ICT Third-Party Service Providers
Article 31: Designation of Critical ICT Service Providers
Identify ICT service providers classified as critical and ensure they are subject to heightened oversight.
Article 32: Structure of the Oversight Framework
Implement an oversight structure for monitoring ICT third-party service providers in collaboration with regulators.
Article 33: Tasks of the Lead Overseer
Support the designated lead overseer in overseeing critical ICT service providers. Provide necessary data and cooperation.
Article 34: Operational Oversight Plans
Develop and execute operational oversight plans tailored to each critical ICT service provider’s risk profile.
Article 35: Powers of the Lead Overseer
Facilitate lead overseer activities, including access to ICT systems and audits of service providers.
Article 36: Exercise of Oversight Powers
Ensure transparency and responsiveness to oversight actions, including follow-up on regulatory findings.
Article 37: Request for Information
Respond promptly to information requests from regulators regarding ICT third-party service providers.
Article 38: General Reporting Requirements
Establish mechanisms for regular reporting on ICT third-party risks and dependencies to regulators.
Article 39: Inspections
Prepare for inspections by supervisory authorities. Ensure documentation and systems are audit-ready.
Article 40: Ongoing Oversight
Continuously monitor ICT third-party service providers for emerging risks and compliance with contractual obligations.
Article 41: Harmonization of Oversight Practices
Align third-party oversight practices with EU-wide standards for consistency and effectiveness.
Article 42: Follow-Up by Supervisory Authorities
Act on follow-up actions from supervisory authorities related to ICT third-party oversight.
Article 43: Oversight Fees
Budget for oversight fees associated with ICT third-party regulatory activities.
Article 44: International Cooperation for Oversight
Collaborate with international regulators to oversee ICT third-party providers operating across borders.
Chapter VI: Information Sharing
Article 45: Information-Sharing Arrangements
Establish secure and compliant frameworks for sharing ICT-related information with peers and authorities to improve resilience.
Chapter VII: Competent Authorities
Article 46: Competent Authorities
Identify and liaise with the competent authorities responsible for DORA implementation and compliance.
Article 47: Cooperation with Other Authorities
Collaborate with national and EU authorities to align ICT risk management practices.
Article 48: Cooperation Between Competent Authorities
Ensure cross-border cooperation on ICT risk and incident management through shared platforms and protocols.
Article 49: Financial Penalties
Avoid regulatory breaches to mitigate the risk of financial penalties for non-compliance.
Article 50: Administrative Sanctions
Prepare for potential administrative sanctions by maintaining compliance with DORA requirements.
Article 51: Exercise of Supervisory Powers
Facilitate supervisory powers exercised by competent authorities, including access to ICT systems.
Article 52: Criminal Penalties
Address compliance violations promptly to avoid criminal liability under applicable laws.
Article 53: Notification Duties
Notify competent authorities of major ICT incidents and non-compliance issues as required.
Article 54: Publication of Administrative Penalties
Prepare for the public disclosure of penalties, ensuring transparency and accountability.
Article 55: Professional Secrecy
Maintain confidentiality for all sensitive information shared with competent authorities.
Article 56: Data Protection
Align ICT data processing and storage practices with GDPR and DORA requirements.
Chapter VIII: Delegated Acts
Article 57: Exercise of Delegated Powers
Monitor updates to delegated powers and adjust ICT risk management practices accordingly.
Chapter IX: Transitional and Final Provisions
Section I
Article 58: Review Clause
Prepare for periodic reviews of DORA’s effectiveness and suggest improvements where necessary.
Section II: Amendments
Article 59: Amendments to Directive (EU) 2013/36
Adjust organizational policies to align with amendments in relevant EU directives.
Article 60: Amendments to Regulation (EU) No 575/2013
Update reporting and risk assessment frameworks as per amendments to financial regulations.
Article 61: Amendments to Directive (EU) 2014/65
Ensure compliance with revised requirements for financial instruments and market activities.
Article 62: Amendments to Regulation (EU) No 909/2014
Adapt systems for securities settlement to comply with amended rules.
Article 63: Amendment to Directive (EU) 2015/2366
Incorporate changes to payment services and payment systems into ICT risk management frameworks.
Article 64: Entry into Force and Application
Prepare for DORA’s enforcement and ensure full compliance within the implementation period.
proIS – Offer from Leitner & Associates
Leitner & Associates presents proIS, a tailored solution to help your organization achieve full compliance with DORA.
Delivered in just 5 business days, this streamlined service includes:
- A thorough review of your ICT strategies, policies, procedures, ICT protocols and tools.
- Testing of up to 25 contractual arrangements.
- Identification of gaps specific to DORA requirements, such as ICT risk management, ICT-related incident management, classification and reporting as well as digital operational resilience testing and managing of ICT third-party risk.
- A concise findings report and actionable follow-up checklist.
For a transparent, all-inclusive price of €9,990 (+19% VAT), proIS equips your organization with a clear roadmap to strengthen financial crime defenses and meet DORA compliance efficiently.
Don’t miss this opportunity to ensure your DORA readiness. Contact us today!