Learn about the DORA regulation and its associated directive, which aim to strengthen the digital operational resilience of financial entities.

In response to the deep digital transformation of financial services, the growing interconnection of networks and critical infrastructures, and the multiplication of sophisticated cyberattacks, the European Union has adopted an innovative regulatory framework: the DORA Regulation and its associated directive. Entered into force on January 16, 2023, following their adoption in November 2022, these texts aim to strengthen the digital operational resilience of financial entities.

A New Regulatory Framework for Digital Finance

As part of the European Commission’s digital finance strategy, the DORA initiative aims to foster innovation and the adoption of new technologies while ensuring financial stability and consumer protection.

This new framework consists of two major legislative acts:

• Regulation (EU) 2022/2554, known as the DORA Regulation, which establishes uniform requirements for the management of risks related to information and communication technologies (ICT) and for the security of networks and information systems across the EU.
• Directive (EU) 2022/2556, which aims to amend existing directives (CRD IV, PSD2, BRRD, Solvency II, IORP II, MiFID II, AIFM, etc.) in order to align them with the new provisions introduced by the DORA Regulation.

For the first time, the DORA Regulation provides a single, detailed, and comprehensive legislative framework on digital operational resilience for financial entities within the EU. It also establishes a direct supervision mechanism for critical ICT service providers at the European level.

Who Is Affected by DORA?

The DORA Regulation applies to a wide range of actors in the financial sector, including:

• Financial institutions: credit institutions, investment firms, payment institutions, electronic money institutions, management companies, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, etc.
• ICT service providers: operating within financial services across the European Union.

Application Timeline

The DORA Regulation will be directly applicable in all EU Member States starting on January 17, 2025. Until then, the European Commission will publish delegated acts based on regulatory and implementing technical standards (RTS and ITS) jointly proposed by the European supervisory authorities (EBA, EIOPA, ESMA). These texts will clarify certain requirements of the DORA Regulation and will constitute the level 2 of this new regulatory framework.

Directive 2022/2556 must be transposed by the Member States before January 17, 2025.

It is therefore essential for financial entities and ICT service providers to start preparing now by analyzing these new requirements and assessing their operational and strategic impacts.

From Risk Management to Digital Operational Resilience

The concept of digital operational resilience emphasizes a proactive approach to managing operational risks. Rather than focusing solely on risk prevention and loss limitation, it is based on the assumption that incidents, even unlikely ones, will inevitably occur. Organizations must therefore be ready to face them while ensuring the continuity of their critical operations and services.

This approach requires a deep understanding of the internal workings of the company and its ecosystem, in order to identify risks and threats, but also to assess acceptable levels of disruption from both the organization’s and the customer’s perspectives. By strengthening their agility and responsiveness, companies can enhance customer trust and loyalty.

Thus, the DORA Regulation should not be seen as an additional constraint, but as an opportunity for financial entities to differentiate themselves in the market by strengthening their operational resilience to IT, cyber, business continuity, and third-party risks.

The 5 Pillars of Digital Operational Resilience

The DORA Regulation identifies five essential pillars that financial institutions must implement to structure their digital operational resilience:

1. ICT Risk Management: Develop a robust framework for managing risks associated with information and communication technologies.
2. Management and Reporting of ICT Incidents and Cyber Threats: Establish effective processes to detect, manage, and report incidents and cyber threats.
3. Digital Operational Resilience Testing: Regularly conduct tests to assess and improve the organization’s ability to withstand disruptions.
4. Management of Risks Linked to ICT Third-Party Providers: Assess and manage risks related to external ICT service providers.
5. Cybersecurity Information Sharing: Collaborate with other stakeholders to share threat intelligence and best practices in cybersecurity.

How to Facilitate and Accelerate DORA Compliance?

Transform your diagnostic process with Smart Global Governance and its solution Answer Writer. By leveraging the power of artificial intelligence, Answer Writer automatically fills in your assessment forms based on your company’s internal documents. No more tedious back-and-forth between your departments and team members!

In addition, Smart Global Governance offers advanced modules for third-party assessment and optimized reporting thanks to natively integrated Business Intelligence tools. Simplify your processes, save valuable time, and make informed decisions with an all-in-one solution.