Compliance Resource Center
DORA: Understanding the Digital Operational Resilience Act
Crack the code of DORA compliance with this hub of all useful resources on the regulation — your ultimate guide to the Digital Operational Resilience Act.
What Is DORA?
The Digital Operational Resilience Act (DORA) is a regulation (no. 2022/2554) adopted by the European Union in December 2022 to govern the cybersecurity of financial entities, such as banks and credit institutions.
When Will DORA Come into Force?
The Digital Operational Resilience Act will come into force on January 17, 2025. This effective date is set at 24 months after publication of the regulation in the Official Journal of the EU, as stipulated in Article 64.
Why Is DORA Necessary?
The purpose of DORA, as stated in its Recital 105, is to achieve a high level of digital operational resilience for regulated financial entities.
Digital operational resilience is defined as the ability of a financial entity to build, assure, and review its operational integrity and reliability. This includes ensuring the security of network and information systems, whether through direct means or indirectly by using services provided by ICT third-party service providers.
The ultimate goal is to maintain the operational continuity of financial services within the European Union, even in the face of disruptions, incidents, or attacks. DORA marks a paradigm shift from a defensive vision of security to a global resilience of the financial sector. It’s no longer a question of defending, but of resisting.
Which Financial Organizations Are Regulated by DORA?
The Digital Operational Resilience Act applies to 21 types of entities. Here they are as described in Article 2:
- Credit institutions;
- Payment institutions, including payment institutions exempted pursuant to Directive (EU) 2015/2366;
- Account information service providers;
- Electronic money institutions, including electronic money institutions exempted pursuant to Directive 2009/110/EC;
- Investment firms;
- Crypto-asset service providers and issuers of asset-referenced tokens;
- Central securities depositories;
- Central counterparties;
- Trading venues;
- Trade repositories;
- Managers of alternative investment funds;
- Management companies;
- Data reporting service providers;
- Insurance and reinsurance undertakings;
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
- Institutions for occupational retirement provision;
- Credit rating agencies;
- Administrators of critical benchmarks;
- Crowdfunding service providers;
- Securitisation repositories;
- ICT third-party service providers.
DORA: All Useful Resources
Our Articles About the Digital Operational Resilience Act
Useful Resources Elsewhere on the Web
- Official text of the Digital Operational Resilience Act (EUR-Lex) (2022)
- Official text of the Digital Operational Resilience Act (PDF format) (2022)
- ESAs consult on the first batch of DORA policy products (ESMA) (2023)
- RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
- RTS on criteria for the classification of ICT-related incidents;
- ITS to establish the templates for the register of information;
- RTS to specify the policy on ICT services performed by ICT third-party providers.
- ESAs consult on the second batch of DORA policy products (ESMA) (2023)
- Consultation Paper on draft RTS subcontracting
- Consultation Paper on draft guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents
- Consultation Paper on draft RTS on oversight harmonisation
- Consultation Paper on draft RTS and ITS on major incident reporting under DORA
- Consultation Paper on draft Guidelines on oversight cooperation
- Consultation Paper on draft RTS on Threat-Led Penetration Tests (TLPT)
- ESAs specify criticality criteria and oversight fees for critical ICT third-party providers under DORA (ESMA) (2023)
- ESAs publish Report on the landscape of ICT third-party providers in the EU (ESMA) (2023)
About the TIBER-EU Framework
- TIBER-EU information page (European Central Bank, ECB)
- TIBER-EU Framework Services Procurement Guidelines (ECB) (2018)
- How to implement the European framework for Threat Intelligence-based Ethical Red Teaming (2018)
- White Team Guidance: The roles and responsibilities of the White Team in a Threat Intelligence-basedEthical Red Teaming test (2018)
- Purple Teaming Best Practices (2022)
- Scope SpecificationTemplate (2020)
- Guidance for Target Threat Intelligence Report (2020)
- Guidance for the Red Team Test Plan (2020)
- Guidance for the Red Team Test Report (2020)
- Guidance for the TIBER-EU Test Summary Report (2020)
- TIBER-EU Attestation Template (2020)
Our DORA Compliance Guides
Below you can download our two free compliance guides to help DORA-regulated organizations navigate the requirements introduced by the regulation.
DORA: A Complete Guide to Compliance for the Financial Sector
A 50-page guide to walk CISOs, DPOs and legal departments through the EU regulation. No mumbo jumbo, only useful and actionable insights.
DORA: A Guide to Security Testing for Regulated Entities
A 60-page compliance guide to walk security managers of DORA-regulated entities through the regulation's security testing obligations: the resilience testing program, and Threat-Led Penetration Testing (TLPT).
Need to conduct security testing for DORA compliance?
Contact us or schedule an appointment to learn more about our Offensive Security tests for DORA-regulated entities — Pentest as a Service (PtaaS), Red Teaming and TLPT, etc.
