Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is the new centrepiece for the security of network and communication infrastructure (ICT) in the entire finance and insurance industry. As with the NIS2 Directive, the focus here is on ICT risk management and related aspects.
Key Facts:
- Subject-Matter and Objective: The aim of DORA is to ensure digital operational resilience through uniform requirements for the security of ICT systems that support the business processes of financial entities. The regulation was adopted in December 2022 and will apply directly within the EU from January 17, 2025. By then, the financial entities falling within the scope of application must implement the planned requirements.
- Addressees: DORA has a broad scope of application. It primarily covers so-called financial entities. This includes a wide range of participants in the financial and insurance markets, including credit institutions, payment service providers, investment firms, data reporting services providers, credit rating agencies, trading venues, insurance undertakings and reinsurance undertakings. It also covers third-party ICT service providers (e.g. cloud providers, managed service providers, providers of digital or data services).
- Areas of Regulation: DORA contains extensive requirements for financial entities regarding ICT risk management, incident management, the performance of tests of the ICT systems in use, the relationship with third-party ICT service providers (third-party risk management), and the exchange of information with other financial entities (for more information, see also here).
- 2nd Level Legislation, Transposition in Germany: In addition to the legal requirements contained in the DORA, further requirements are stipulated by downstream implementing acts, so-called 2nd-level legal acts. Such 2nd level legislation includes, inter alia, technical regulatory standards (RTS) and implementing technical standards (ITS). These 2nd-level legal acts contain detailed implementation instructions that must be followed by financial entities. In addition, there will be further DORA-specific changes in various laws under German law as part of the Financial Market Digitalization Act, which affect the finance and insurance sector (e.g. KWG).
- ICT Risk Management: DORA requires financial entities to have a sound, comprehensive and well-documented ICT risk management framework. This framework must cover the relevant ICT assets and ensure that ICT risks are systematically identified, evaluated and addressed. They are addressed in the form of appropriate security measures. Other aspects of ICT risk management concern the monitoring and control of ICT systems, the detection of vulnerabilities and ICT incidents, as well as implementing of response and recovery measures.
- Testing the digital operational Resilience: Financial entities must regularly test the resilience of their ICT infrastructure to ensure that it can function under stress conditions. An important part of this is conducting threat-led penetration tests (TLPT).
- Incident Management and Notification: Financial entities must be able to detect and respond to ICT incidents at an early stage. This requires, in particular, continuous monitoring of the ICT systems in use and the implementation of effective incident response plans. One component of the incident response plans is compliance with the statutory reporting requirements to the competent supervisory authority as provided for in DORA.
- Management of Third-Party Risks: DORA places particular emphasis on the management of risks arising from the outsourcing of ICT services to external service providers. Financial entities must assess the risks associated with the use of third-party ICT service providers and document all third-party ICT service providers in an information register. They must also ensure that the contractual agreements with the third-party ICT service providers comply with the minimum content requirements set out in DORA.
- Monitoring of critical ICT-Service Providers: DORA includes a monitoring framework for critical ICT third-party service providers. These are service providers that the competent ESA have classified as critical due to their importance for the financial market. The competent supervisory authorities have various tasks and powers with regard to critical ICT third-party service providers.
- Supervision and Sanctions: National and European supervisory authorities, such as the European Banking Authority (EBA) or the European Securities and Markets Authority (ESMA), are responsible for supervising and enforcing DORA rules. In the event of non-compliance with legal requirements, they can take far-reaching supervisory and enforcement measures, including the imposition of fines.
Our Services include:
- Assessing whether your company falls within the scope of DORA (analysis of affectedness)
- Supporting with the implementation of the legal requirements for ICT risk management and incident management, including support in creating and implementing strategies, guidelines and concepts in accordance with the DORA requirements and the applicable 2nd-level legal acts.
- Supporting with the conducting of digital resilience tests, including advice on commissioning external service providers (e.g. penetration test providers).
- Drafting and negotiating legally compliant contractual terms between financial entities and third-party ICT service providers in the overall context of DORA and other applicable legal and regulatory requirements (e.g. EBA Guidelines, German Risk Management Requirements [MaRisk]).
- Training the management, the responsible IT security staff (e.g. ISO, CIO) and employees in connection with the new DORA requirements.