DORA: A proposal for digital operational resilience in financial services

The proposal focuses on harmonizing the EU-wide framework (and existing rules) and improving reporting and testing coordination.

There are detailed requirements regarding:

• Responsibilities related to ICT risk management and governance
• ICT incident management, classification, and reporting
• Tests of digital operational resilience (such as regular threat-led penetration testing)
• Management of ICT third-party risk, including a framework for oversight of critical ICT third-party providers - Critical third-party providers (CTPPs) would be supervised by a Lead Overseer (one of the ESAs), who would ensure that providers are managing the risks they pose to companies. Their responsibilities include investigating, inspecting, and making recommendations.

As an EU regulation DORA is directly applicable, the application starts on 17 January 2025. It is recommended to proceed with supervisory implementation until then by concretizing the ESAs through a series of RTS/ISTs.

DORA serves as a "lex specialis" for the financial sector, and companies addressed in DORA are accordingly excluded from NIS2 (Network and Information Systems 2) directive.

Network and information security requirements are set by DORA for companies and organizations operating in the financial sector as well as third parties providing ICT-related services to these companies, such as cloud platforms and data analytics. The aim is to ensure that all participants in the financial system have safeguards in place to mitigate cyberattacks and ICT disruptions. A number of requirements are outlined for financial entities with respect to ICT risk management, contractual arrangements between ICT providers and financial entities, oversight frameworks for critical third-party service providers, and rules on cooperation between authorities.