Related articles
Everything you need to know about the DORA Regulation
.webp)
Everything you need to know about the DORA Regulation
Digital transformation has profoundly transformed the financial sector in recent years, leading to increased dependence on information technology (ICT). However, this evolution comes with new challenges, including cyber attacks and operational risks. It is in this context that the DORA regulation (Digital Operational Resilience Act) was created, aimed at strengthening the digital resilience of financial entities in Europe.
What is DORA?
DORA is a European regulation, adopted in 2022 and entered into force in 2023, which imposes strict digital resilience obligations on financial entities. Its objective? Ensure the continuity of essential financial services in the event of major IT crises. Unlike directives, which leave a certain margin for adaptation to national laws, a regulation applies uniformly in all EU Member States, ensuring that the rules are harmonized.
The Five Pillars of DORA
- ICT Risk Management
Entities need to identify, assess, and control risks related to the IT systems that support their critical activities. This includes active monitoring of cyber risks, but also operational risks such as system failures that could disrupt financial services. - Incident Management and Reporting
DORA requires the establishment of processes dedicated to the management of major incidents, including their detection, classification, treatment and notification. This allows entities to respond quickly and in an organized manner in the event of cyberattacks or other service interruptions. - Resilience tests
Financial entities should test their systems regularly to verify their ability to withstand crises. These tests must be adapted to the level of risk and the criticality of the services provided. The aim is to ensure that financial services can resume quickly after an incident. - Risk Management Related to ICT Providers
ICT service providers, especially those supporting critical functions, must meet high resilience standards. DORA requires entities to carefully manage the relationship with these service providers, including the monitoring of their services and the establishment of specific contractual clauses. - Sharing Information
In order to strengthen the collective resilience of the financial sector, DORA encourages entities to share information about incidents and threats. This makes it possible to better anticipate risks and to strengthen cooperation between market players.
The Importance of Proportionality
The obligations imposed by DORA are designed to be proportionate to the size, risk profile, and activities of financial entities. Thus, the smaller or less critical an entity is, the less stringent its obligations will be. However, every entity, big or small, must respect the basic principles of ICT risk management and resilience testing.
Minimum Contractual Clauses
DORA also imposes a strict contractual framework for relationships between financial entities and their ICT providers. These contracts should include clauses on service continuity, data localization, audit rights, and incident management. Critical providers, such as cloud services, must be subject to more stringent requirements to ensure the resilience of their services in the event of a crisis.