Anyone reading the DORA (Digital Operational Resilience Act) chapters for the first time is likely to be overwhelmed by the multitude of provisions and complex requirements. That’s why we’ve written this article to help you get started! We begin with some background information and then present the contents of the individual DORA chapters in a condensed form. Finally, we show the timeline from the first publication in the EU Official Journal to the regulatory changes starting in January 2025.
Context: Digital resilience
Financial services are inconceivable without today’s IT infrastructures – this structure must therefore be especially protected. The context of the new DORA EU regulation is shaped by trends in technology and cybercrime, as well as the concept of resilience.
Financial services are based on powerful networks, cloud technologies and secure end-customer interfaces. The entire sector benefits from the opportunity to provide digital services efficiently through information and communication technologies (ICT).
Among the major risks are cybercriminals who are specifically looking for weak points in the organization and infrastructure in order to infiltrate malicious code, capture data and paralyze systems. In this context, there is no alternative to effective digital resilience.
Digital resilience can be defined as a set of competencies and capabilities that financial institutions can use to build, ensure the continued availability of, and – in an emergency – restore their specific ICT services.
Contents: the main DORA chapters
DORA comprises eight chapters. We present here the four chapters that are central to implementation and their key requirements. In these chapters, the authors describe the capacities that a financial institution must build in order to achieve a satisfactory level of IT risk management from a regulatory perspective.
The regulation’s focus is on the organizational framework, a system for identifying, assessing and reporting conspicuous and potentially harmful incidents, tests and controls for the resilience of existing systems, and risk management along the entire chain in outsourced IT operations. In detail:
ICT risk management framework (Chapter III)
- The holistic approach includes the areas of identification, protection, prevention, detection, countermeasures, recovery, learning, development and communication.
- The management body is responsible for overall ICT risk management and must have sufficient knowledge and up to date skills.
Implementation can be carried out according to the principle of proportionality.
Handling, classification and reporting of IT incidents (Chapter III)
Incidents are classified according to relevance, number, spread and criticality along with records of the costs caused by failures. The incident management process (see also our blog post: Incident Response Process) must be effective and sufficiently documented. IT service continuity management must be built on proven practices to ensure a rapid and effective response in the event of an emergency. Certain ICT-related incidents must be reported to the supervisory authorities within specified deadlines using EU-wide standardized templates.
Testing of digital operational resilience (Chapter IV)
- A risk-based, proportionate testing program must be established in many areas of IT.
Certain financial companies must also carry out so-called threat-led penetration testing (TLPT). This testing methodology should be based on the TIBER-EU framework – only expert testers may conduct these tests.
The emergency and recovery plans must be practiced and internally audited annually.
Management of ICT third-party risk (Chapter V, Section I)
All risks associated with the commissioning of service providers must be assessed in a structured manner and actively managed. This also includes the integration of service providers into the information network.
The information register is used for the structured administration of all information on contractual relationships with ICT service providers. DORA contains a broad definition of ICT service providers.
Contractual provisions with ICT service providers must comply with a number of new minimum requirements. The BaFin emphasizes that despite the tight schedule, no transition period is planned.
Background: Digital resilience
Like every EU regulation, DORA comes into force in several stages. When it becomes binding in January 2025, assessments can also begin to determine whether institutions have implemented the necessary framework. This is the known timeline so far:
- December 27, 2022: Publication of the Digital Operational Resilience Act in the Official Journal of the EU (as Regulation 2022/2554).
- January 17, 2023: Entry into force of the DORA regulation.
- January 17, 2025: Binding effect for all affected market participants in all EU member states.
This makes it clear: the deadline is getting closer.
Implement DORA − with X1F
As the explanations show, DORA is not reinventing the wheel. If a solid compliance framework is already in place at your company through the implementation of VAIT, BAIT or KAIT, then you are well prepared for the integration of the DORA requirements. Otherwise, DORA offers you the opportunity to close existing gaps in your IT compliance and to optimize the resilience of your business processes against cyber risks. We are happy to act as your partner during the DORA implementation phase!
Let's get talking
Johannes Rieder
X1F