Dora
From 17 January 2025, European Union (EU) financial institutions and, as soon as designated, third-party ICT service providers designated as “critical” by European Supervisory Authorities must be prepared to comply with the Digital Operational Resilience Act (Regulation (EU) 2022/2554 – “DORA”). DORA standardizes how financial institutions report cybersecurity incidents, test their digital operational resilience, and manage third-party risk in the financial services sector and in
Key aspects of the DORA regulation:
Operational resilience:
Financial institutions must have processes and systems that enable them to withstand and respond to operational disruptions.
ICT Risk Management:
A framework is established to identify, assess, and mitigate risks related to information and communications technologies.
Supervision and coordination:
National and European supervisory authorities must coordinate to ensure compliance with the regulations.
Transparency and responsibility:
Financial institutions must be transparent about their ICT risk management and take steps to mitigate these risks.
Impact of the DORA regulation:
Greater security:
The regulation seeks to reduce the financial sector's vulnerability to digital threats.
Mandatory compliance:
Financial institutions must adapt to new regulations, including incident management, audits, and system testing.
Greater coordination:
The regulation facilitates collaboration between supervisory authorities and financial sector stakeholders.
Mandatory DORA complements:
Three European Supervisory Authorities (ESAs), EBA, EIOPA and ESMA, published on 17/01/2024 the first set of final draft technical standards under DORA, aimed at enhancing the digital operational resilience of the EU financial sector by strengthening financial institutions' information and communication technologies (ICT) and third-party risk management and incident reporting frameworks.
In order to comply with the sections ICT Risk Management Framework, ICT-Related Incidents, Resilience Testing Program within the ICT Risk Management Framework, Management of ICT-Related Risk Derived from Third Parties, Contracts with ICT Service Providers, the following technical standards projects are being defined:
- Regulatory Technical Standards (RTS) on the ICT risk management framework and on the simplified ICT risk management framework;
- Regulatory Technical Standards (RT)S on criteria for the classification of ICT-related incidents;
- Specific Regulatory Technical Standards (RTS) on policy on ICT services that support critical or important functions provided by third-party ICT service providers (TPPs);
- Implementation of Technical Standards (ITS) to establish templates for recording information.
In short: The DORA Regulation is an important step toward strengthening the digital resilience and cybersecurity of the European financial sector, ensuring that institutions can continue to operate safely and effectively.
If you want to know more about the DORA Regulation, its technical instructions, how to audit it, how to implement it, do not hesitate to sign up for our Master in Data Protection Audit, Risk Management and Cyber Compliancehttps://eiposgrados.com/programas/master-auditoria-de-proteccion-de-datos-gestion-de-riesgos-cyber-compliance/
For more information about DORA, you can read the regulations at:
https://eur-lex.europa.eu/legal-content/ES/TXT/HTML/?uri=CELEX:32022R2554
Access all the information in our Professional Master in Data Protection Audit, Risk Management and Cyber Compliance and learn more related posts in our Compliance section in our Compliance blog.
