women looking at a credit card
Ensuring the cybersecurity and resilience of financial institutions

Digital Operational Resilience Act (DORA)

Strengthening the cybersecurity and resilience of financial institutions in the EU

In recent years, the EU has pushed forward several initiatives to increase the IT security and resilience of various industries, such as the NIS2 Directive or the Cyber Resilience Act

As financial institutions are part of the critical infrastructure, the EU Commission has also published a specific framework for this sector, the Digital Operational Resilience Act (short DORA), which aims to ensure the resilience of financial institutions and insurance companies in the event of IT-related operational disruptions.

DORA is a regulatory framework that outlines requirements that financial institutions must follow in order to achieve a common level of security for their network and information systems as well as to their incident response. 

Thereby, DORA applies requirements to the following categories:
 

  • Information and communication technology (ICT) risk management;
  • Reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;
  • Reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in Article 2(1), points (a) to (d);
  • Digital operational resilience testing;
  • Information and intelligence sharing in relation to cyber threats and vulnerabilities;
  • Measures for the sound management of ICT third-party risk.

Timeframe of DORA

The Digital Operational Resilience Act (DORA) became effective on January 16, 2023, with a 24-month grace period. Covered entities will be required to comply as of January 17, 2025.

Who is affected?

Article 2 of the regulation defines the following entities that need to comply:

  • Credit and payment institutions,
  • Account information service providers,
  • Electronic money institutions,
  • Investment firms,
  • Crypto-asset service providers,
  • Insurance and reinsurance undertakings,
  • Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries,
  • ICT third-party service providers,
  • And more.

The full list of affected organizations can be found in article 2 – Scope.

The details on ICT-related risks and how to comply

DORA is divided into the following sections:

  • Subject matter,
  • Scope,
  • Definitions,
  • Proportionality principle,
  • ICT risk management,
  • ICT-related incident management, classification, and reporting,
  • Digital operational resilience testing,
  • Managing of ICT third-party risk,
  • Oversight Framework of critical ICT third-party service providers,
  • Information-sharing arrangements,
  • Competent authorities,
  • Delegated acts.

Access the full regulation text here

Utimaco’s cybersecurity and compliance solutions help affected organizations comply with DORA’s requirements for ICT risk management as well as ICT-related incident management, classification, and reporting.

Minimize ICT-related risks with reliable file and folder encryption in place.

DORA Compliance


 

お問い合わせ

お気軽にお問い合わせください。

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      Your collection of download requests is empty. Visit our Downloads section and select from resources such as data sheets, white papers, webinar recordings and much more.

      Downloads

      How can we help you futher?

      0