Information & infrastructure security

The Digital Operational Resilience Act (DORA)

What is the purpose of DORA?

DORA is an EU Regulation (No.2022/2554), meaning it takes direct effect across all EU Member States without the need for national legislative action. DORA introduces a comprehensive regulatory framework to strengthen the operational resilience of the digital systems within the financial sector in the EU. DORA's sector-specific regime complements and takes precedence over the broader requirements of the NIS2 Directive, which seeks to enhance cyber security across sectors deemed critical to civil society in the EU.

Key provisions

DORA introduces technical requirements for in-scope businesses across four areas:

information and communication technology (ICT) risk management and governance
incident response and reporting
digital operational resilience testing
third-party risk management.

DORA introduces regulation of critical third party (technology) providers (CTPs). ICT providers that are designated as 'critical' following an assessment by European supervisory authorities will face direct regulation by EU authorities, potentially requiring the establishment of EU-based subsidiaries for regulatory compliance of non-EU based entities.

DORA requires financial entities to take a more proactive approach to IT security and resilience when contracting with, and managing, their ICT service providers. Financial entities and ICT third-party service providers must consider the use of standard contractual clauses developed by public authorities for specific services.

DORA encourages participation in voluntary threat intelligence sharing arrangements.

Where will DORA apply?

DORA will apply across the EU. Financial businesses and in-scope ICT providers established outside of the EU will be subject to DORA's provisions if they operate in the EU.

Who will have obligations under DORA?

DORA's reach extends across the entire EU financial ecosystem, encompassing a wide range of institutions from traditional banks, credit unions, and investment firms to non-traditional entities such as crypto asset service providers and crowdfunding platforms.

DORA also impacts third-party ICT service providers such as cloud services and data centres. These businesses will experience indirect exposure via contractual pressure and requirements, due to the obligations on financial businesses to manage their third-party risk, and direct exposure if they are designated as CTPs.

Are there sanctions for non-compliance?

The enforcement of DORA will be overseen by designated regulators within each EU Member State with the power to impose penalties for non-compliance. CTPs will be directly supervised by lead overseers from the European supervisory authorities.

Under DORA, penalties for non-compliance can be up to 2% of total annual worldwide turnover. CTPs can face daily fines for non-compliance of 1% of their average daily worldwide turnover in the previous business year, every day for up to six months until they achieve compliance. Individuals with board-level responsibility may be held personally liable under DORA for failings attributable to their actions or negligence.

The amount of any fine will depend on the severity of the violation and the financial entity's co-operation with authorities. Member States also have the power to introduce criminal sanctions for non-compliance.