DORA regulation: what financial institutions need to know

Compliance7 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

The Digital Operational Resilience Act, better known as DORA, is a European regulation that has direct effect in all EU member states. DORA sets uniform requirements for the digital operational resilience of financial entities and their critical ICT service providers.

DORA applies to a wide range of financial entities: banks, insurers, investment firms, payment institutions, crypto asset service providers and their critical ICT suppliers. The regulation recognises that the financial sector is increasingly dependent on ICT and that disruptions constitute a systemic risk.

The regulation rests on five pillars. The first is ICT risk management: financial entities must set up a robust framework for ICT risk management with governance, identification, protection, detection, response and recovery.

The second pillar concerns ICT related incidents. Entities must set up a process for detecting, classifying and reporting ICT incidents. Serious incidents must be reported to the regulator within strict deadlines.

The third pillar is about digital operational resilience testing. Entities must periodically test their ICT systems, including penetration tests. Systemically important entities must carry out threat led penetration testing based on the TIBER-EU framework.

The fourth pillar concerns ICT third party risk. DORA sets detailed requirements for managing risks arising from ICT outsourcing relationships. There will also be an oversight framework for critical ICT service providers.

The fifth pillar governs information sharing: entities may share information among themselves about cyber threats and vulnerabilities.

For Dutch financial institutions, DORA means that existing DNB and AFM regulations are supplemented and partly replaced by a uniform European framework. Organisations that are already compliant with the DNB Good Practice Information Security have a head start, but must still align their framework with the specific DORA requirements.

Secure Audit helps financial institutions map their DORA gaps and implement the required measures. Get in touch for a DORA readiness assessment.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us