The Digital Operational Resilience Act (DORA) is a European regulation that aims to make financial organizations better manage IT risks and thus become more resilient to cyber threats. DORA has been in effect since January 2023 and complements existing legislations such as NIS and GDPR.
Many enterprises had until Jan. 17, 2025, to comply with the regulations. Some enterprises were previously subject to DORA-related requirements from existing laws and regulations. This is in addition to certain ISO certifications in which the topic was addressed. For other companies, the law now comes into full effect.
Objective of DORA
Among other things, DORA sets requirements for IT risk management, IT incidents, periodic testing of digital resilience and the management of risks when outsourcing to (critical) third parties. This takes into account the size, risk profile and systemic importance of individual organizations.
For example, so-called micro-enterprises are excluded from several parts of the regulation and a simplified framework is being developed for the second chapter of DORA, covering risk management, for certain license types.
There are also two additional effects that contribute to the resilience of financial institutions. First, DORA, in effect like NIS2, aims to improve chain security. To this end, it contains a framework that will apply to the most critical ICT service providers for the financial sector.
Parallel to NIS2
Finally, the regulation also establishes an information-sharing regime so that financial institutions can share information and intelligence on cyber threats among themselves and thereby further mitigate risks. This aspect is also reflected in NIS2.
Doing nothing about DORA is not a real option, this could lead to serious consequences for business operations. In addition, central banks are making DORA part of its supervision and existing good practices. Sanctions will align with existing supervisory instruments of them.
DORA contains six themes
- IT governance
- IT risk management
- IT incident management
- Digital resilience testing
- Third party risk management
- Information sharing
The topics covered by DORA will not be new to many Dutch institutions. However, these topics are elaborated further than in standards frameworks such as ISO27001. As a result, all organizations within the financial sector must check whether the depth of their controls is demonstrable to the extent that they comply with DORA.
Also read: VMware tells its competitors what a true sovereign cloud is