TABLE OF CONTENTS
DORA is an EU cybersecurity and resilience regulation focused on financial organizations. It was published in December 2022 under the name “Regulation (EU) 2022/2554 on digital operational resilience for the financial sector,” and applies starting January 17, 2025.
DORA regulation summary
DORA is a European Union regulation that specifies cybersecurity and resilience requirements for financial organizations.
Its full name is “Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011,” and it was published on 14 December 2022.
Since DORA is a regulation, this means that it directly applies to practically any financial entity in the European Union — in other words, EU Member States do not need to publish their own regulations on cybersecurity for the financial sector, since financial organizations must comply directly with DORA.
Comprehensive Guide to the DORA Regulation
Why is DORA important?
DORA is important because it introduces the same level of cybersecurity and digital resilience to all financial entities in all EU countries — this way, cybersecurity and continuity of banks, insurance companies, and other financial organizations will be the same across all EU countries.
What does DORA stand for?
The “DORA” abbreviation stands for “Digital Operational Resilience Act.”
Where can I find the full text of DORA?
Here is the official text of DORA: https://eur-lex.europa.eu/eli/reg/2022/2554/oj
You can also find the full text here, arranged by chapters and articles, and with the ability to search by keyword: Full Text of DORA Regulation.
Who does DORA apply to?
DORA applies to almost all financial entities in all EU countries (as well as to their IT service providers):
- credit institutions
- payment institutions
- account information service providers
- electronic money institutions
- investment firms
- crypto-asset service providers
- central securities depositories
- central counterparties
- trading venues
- trade repositories
- managers of alternative investment funds
- management companies
- data reporting service providers
- insurance and reinsurance undertakings
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- institutions for occupational retirement provision
- credit rating agencies
- administrators of critical benchmarks
- crowdfunding service providers
- securitisation repositories
- ICT third-party service providers that provide services to the above listed financial organizations
DORA specified some exceptions for smaller financial organizations — to learn more about which organizations need to comply, and what the exceptions are, read this article: Who must comply with the DORA regulation?
DORA regulation timeline
DORA was published in December 2022, and it applies starting January 17, 2025.
This means that all financial organizations and their IT suppliers must be compliant from January 2025.
How is DORA structured?
The DORA regulation has 64 articles structured in the following nine chapters:
- Chapter I - General provisions
- Chapter II - ICT risk management
- Chapter III - ICT-related incident management, classification and reporting
- Chapter IV - Digital operational resilience testing
- Chapter V - Managing of ICT third-party risk
- Chapter VI - Information-sharing arrangements
- Chapter VII - Competent authorities
- Chapter VIII - Delegated acts
- Chapter IX - Transitional and final provisions
What are the main DORA requirements?
Here are the nine most important DORA requirements:
- Very detailed requirements for ICT risk management.
- Simplified ICT risk management framework for smaller financial entities.
- Incident & threat classification and reporting.
- Testing of digital operational resilience, including penetration testing.
- Managing risks related to ICT third-party providers.
- Requirements for ICT service providers and their oversight by the government.
- Sharing information on cyber threats.
- Government bodies (competent authorities) in charge of enforcing DORA.
- Penalties for financial organizations and ICT third-party providers.
Find more details here: 9 key requirements specified in DORA regulation
What is simplified ICT risk management?
Simplified ICT risk management framework is specified in DORA’s Article 16 and in TITLE III of CDR 2024-1774 Technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework.
It describes simplified, i.e., easier ICT risk management requirements for smaller financial entities, since DORA’s regular ICT risk management requirements would probably be overkill for those organizations.
This simplified ICT risk management framework applies to:
- small and non-interconnected investment firms
- small payment institutions exempted by the decision of Member States according to Directive (EU) 2015/2366
- specific credit institutions defined in Directive 2013/36/EU (if Member States did not exclude them completely from DORA)
- small electronic money institutions exempted by the decision of Member States according to Directive 2009/110/EC
- small institutions for occupational retirement provision
What are Commission Delegated Regulations (CDRs)?
Commission Delegated Regulations are regulatory technical standards (adopted by the EU Commission) that specify further details of how to apply the DORA regulation.
At the time of publishing of this article, the following CDRs have been enacted:
- CDR 2024/1502 - The criteria for the designation of ICT third-party service providers as critical for financial entities
- CDR 2024/1505 - The amount of the oversight fees to be charged by the Lead Overseer to critical ICT third-party service providers and the way in which those fees are to be paid
- CDR 2024/1772 - The criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents
- CDR 2024/1773 - Regulatory technical standards specifying the detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers
- CDR 2024/1774 - Regulatory technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework
See more details here: What are DORA Commission Delegated Regulations?
What is DORA process of implementation?
Since DORA places the focus on cybersecurity risk management, the implementation process is similar to other security standards and frameworks — here are the suggested steps for implementation:
- Start with a gap analysis
- Obtain senior management support
- Set up project management
- Perform initial training
- Define governance and senior management's role
- Set up the ICT risk management framework
- Perform asset identification, risk assessment, and treatment
- Write and approve the digital operational resilience strategy
- Implement cybersecurity measures
- Implement resilience measures
- Set up risk management for ICT third-party risk
- Set up regular cybersecurity training
- Set up incident & threat classification and reporting
- Set up regular digital operational resilience testing
- Set up measurement, monitoring, and reviews
- Conduct periodic internal audits
- Conduct periodic management review
- Execute follow-up actions and corrective measures
Read about each step here: 18 steps to comply with DORA requirements, and see which documents are required here: List of documents required by the DORA regulation.
Penalties for financial entities
Unlike NIS 2, DORA does not specify minimum fines for financial entities — rather, it gives the freedom to Member States to define their own fines in their countries.
However, DORA does specify other penalties for financial entities that can be enacted by competent authorities:
- Ordering a financial entity to stop activities that are not compliant with DORA.
- Defining any measure (including fines) to make sure financial entities are compliant with DORA.
- Issuing public notices that can reveal the names of non-complying financial entities, as well as persons in charge.
Penalties for critical ICT third-party service providers
DORA is quite specific on fines that critical ICT third-party service providers need to pay if they are not compliant: This is up to 1% of their worldwide annual turnover, and the amount of the fine depends on the number of days that the service provider was not compliant.
The Lead Overseer (the body that supervises critical service providers) must issue public notice that reveals the name of the service provider that was fined. The competent authority can require a financial organization that is a client of a non-compliant service provider to stop using their services.
Learn more here: Which IT companies need to comply with DORA, and how?
Which government bodies enforce DORA?
DORA does not bring any novelties when it comes to enforcement — in its Article 46 it refers to existing regulations that specify which competent authorities are in charge of supervising particular types of financial organizations.
According to regulations referenced in Article 46, for the majority of financial entities that need to be compliant with DORA, EU Member States designate competent authorities that supervise and enforce financial regulations.
There are a couple of exceptions, where EU authorities directly supervise and enforce financial regulations:
- For credit institutions classified as significant - the European Central Bank (ECB)
- For securitisation repositories - the European Securities and Markets Authority (ESMA)
The role of European Supervisory Authorities (ESAs)
The European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) have several tasks according to DORA, including defining guidelines and regulatory technical standards (which will be published as Commission Delegated Regulations), defining which ICT third-party service providers are critical, appointing Lead Overseers for critical service providers, etc.
ESAs publish various materials related to DORA and other activities on their websites; you can find them here:
- European Banking Authority (EBA)
- European Securities and Markets Authority (ESMA)
- European Insurance and Occupational Pensions Authority (EIOPA)
How is DORA related to ISO 27001 and ISO 22301?
DORA does not mention cybersecurity standards like ISO 27001 (nor any other standard from the ISO27k series), or business continuity standards like ISO 22301.
However, when reading DORA’s Chapter II ICT risk management and CDR 2024-1774 Technical standards specifying ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework, it becomes obvious that many concepts were taken from ISO 27001, ISO 27002, ISO 27005, and ISO 22301. Therefore, financial entities will find it useful to use those standards to comply with DORA’s risk management requirements.
For IT suppliers, DORA Article 28 specifies that “Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards.” Since ISO 27001 is the most popular information security standard worldwide, the certification against this standard will most probably become even more popular.
How is DORA related to NIS 2?
The full title of NIS 2 is “Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union.”
Although NIS 2 and DORA were both published on the same day (December 27, 2022), there are big differences between them:
DORA | NIS 2 | |
Type | Regulation (directly applicable to financial institutions) | Directive (companies comply with local legislation that is published) |
Applies to | Financial institutions | Organizations that are considered essential and important entities |
Protection | Besides cybersecurity measures, the emphasis is also on overall resilience of financial institutions. | Emphasis on cybersecurity measures |
Effective from | January 17, 2025 | October 18, 2024 |
Must financial organizations comply with NIS 2?
NIS 2 lists “banking” and “financial market infrastructures” as sectors that need to be compliant with NIS 2 — however, according to NIS 2 Article 4, DORA and other sector-specific regulations have priority over NIS 2.
In effect, any financial entities that are in the scope of DORA do not need to comply with NIS 2.
The reason why banking and financial market infrastructures are listed in NIS 2 is that this allows competent authorities in charge of NIS 2 to more easily exchange information about such financial entities.
What is the difference between DORA and the EU GDPR?
The full title of the EU GDPR is “Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”
Even though both DORA and the GDPR focus on protection of data, each has a different angle:
DORA | EU GDPR | |
Type | Regulation (directly applicable to financial institutions) | Regulation (directly applicable to all companies) |
Applies to | Financial institutions | Any organization that processes personal data, including financial institutions |
Protection | The focus is on protecting any data in ICT systems and achieving digital resilience. | Cybersecurity measures apply to personal data only; there is also a legal aspect of protection of personal data. |
Effective from | January 17, 2025 | May 25, 2018 |
What is the difference between DORA and the Critical Entities Resilience Directive (CER)
The full title of CER is “Directive (EU) 2022/2557 on the resilience of critical entities.”
Although DORA and CER (as well as NIS 2) were published on the same day (December 27, 2022), they each have a different scope:
DORA | CER | |
Type | Regulation (directly applicable to financial institutions) | Directive (companies comply with local legislation that is published) |
Applies to | Financial institutions | Organizations that are considered critical according to Member State decision |
Protection | Besides resilience, the emphasis is also on cybersecurity measures. | Emphasis on resilience and business continuity |
Effective from | January 17, 2025 | October 18, 2024; however, critical entities need to become compliant within 10 months from the day they are designated as critical. |
For more information about DORA, download this free white paper: Comprehensive guide to the DORA Regulation.