DORA Regulation: Article Summary

  • The DORA Regulation establishes a detailed and comprehensive regulatory framework for the digital operational resilience of financial entities.
  • Financial actors must be able to withstand, respond to, and recover from major operational disruptions related to information and communication technologies (ICT).
  • Affected entities should begin their compliance efforts with the DORA Regulation immediately.
  • The DORA Regulation will come into force on January 17, 2025.

Financial institutions now heavily rely on digital solutions to deliver their services. This reliance, combined with increasing exposure to digital risks and cyber threats, highlights the need for robust measures.

The introduction of the DORA Regulation marks a significant milestone for the sector’s cybersecurity, imposing strict requirements on financial institutions regarding digital risk management and business continuity.

What is the DORA Regulation?

Known as the “Digital Operational Resilience Act,” DORA is a European legislative text (Regulation (EU) 2022/2554 of December 14, 2022). It establishes a regulatory framework for digital operational resilience and cybersecurity in the financial sector.

Why this Regulation? The DORA Regulation addresses a context of digital transformation (growing data volumes, increasing reliance on third-party IT providers, etc.) and the rising risks of cyber threats, which particularly affect the financial sector.

What is the Main Objective of the DORA Regulation?

For the first time at the European level, the DORA Regulation establishes a detailed and comprehensive framework for digital operational resilience in financial entities.
These entities must ensure their ability to withstand, respond to, and recover from ICT-related disruptions.

The regulation sets out rules and standards designed to mitigate ICT-related risks for financial entities.
It requires a proactive approach to ICT risk management to ensure business continuity during incidents.

The DORA Regulation follows the principle of proportionality, applying requirements based on the size, nature, scale, and complexity of the financial services provided, as well as the level of risks faced.
It also promotes the “security by design” principle, integrating security into governance processes, product and service design, and throughout their lifecycle.

Who is Affected by the DORA Regulation?

The regulation applies to 21 categories of entities (including both traditional and newer actors) across four main sectors. It also applies to ICT service providers operating within the European Union and offering services to financial entities. Companies with fewer than 10 employees and annual revenues below €2 million are exempt from the regulation.

What are the Key Pillars of the DORA Regulation?

The DORA Regulation encourages financial institutions to embed digital resilience goals within an enterprise-wide strategy, with implications for governance.

It identifies five main pillars essential to digital operational resilience and sets out requirements for compliance with each pillar:

  1. Enhanced Governance – Focus on outsourcing oversight, crisis management, and incident communication.
  2. ICT Risk Management – Implement robust ICT risk management practices.
  3. Incident Management, Classification, and Reporting – Establish centralized and harmonized incident reporting for competent authorities.
  4. Regular Resilience Testing – Conduct regular testing of digital operational resilience.
  5. Third-Party Risk Management – Manage risks related to third-party ICT providers.
  6. Information Sharing – Facilitate the exchange of information between financial entities regarding cyber threats.

DORA Regulation Timeline for 2025

The DORA Regulation and its associated Directive (EU 2022/2556) came into effect on January 16, 2023. The regulation will apply from January 17, 2025. However, affected financial entities have an additional three-year transition period to achieve full compliance. This gradual implementation aims to allow time for the required adaptations.

Entities must begin implementing measures such as ICT risk management, incident reporting, operational resilience testing, and third-party ICT provider risk management. Proactive preparation is critical to meeting these deadlines and mitigating non-compliance risks.

Unlike the NIS 2 Directive, the DORA Regulation will apply directly in all EU member states without requiring transposition into national law.

How to Prepare for DORA?

Key steps to ensure compliance with the DORA Regulation:

  • Implement dedicated governance with cyber risk analysis, involvement of key stakeholders (beyond IT leadership), and fostering a culture of digital operational resilience.
  • Consider all current and upcoming regulatory requirements (e.g., NIS 2 Directive).
  • Align existing risk management approaches with a more cohesive and transversal operational resilience strategy.
  • Develop a harmonized framework for incident reporting.
  • Review contracts with ICT service providers, particularly critical suppliers.
  • Establish a program for regular operational resilience testing.

What Sanctions Does the DORA Regulation Impose?

The DORA Regulation reflects the EU’s commitment to strengthening digital resilience and cybersecurity in the financial sector.

ICT service providers may face audits and inspections (on-site or remote) by competent authorities (Articles 33-35). Non-compliance can result in significant penalties, including financial sanctions or daily fines of up to 1% of global annual turnover for a maximum of six months (Article 31).

The DORA Regulation does not reduce the responsibility of financial entities, even in the event of third-party provider failures. Companies must adopt rigorous measures to evaluate, monitor, and manage supplier-related risks.

How Can Oodrive Solutions Ensure DORA Compliance?

Oodrive is considered a third-party ICT service provider under the DORA Regulation. Oodrive’s secure and sovereign collaboration solutions address DORA requirements, particularly ICT risk management (through enhanced security measures) and third-party risk management.

By using Oodrive Work, financial actors benefit from a DORA-compliant cloud file-sharing solution. The solution also helps financial entities secure their supply chain (including third parties, subcontractors, subsidiaries) when exchanging documents in the cloud.