# Digital Operational Resilience Act (DORA)
Definition
The Digital Operational Resilience Act (Regulation 2022/2554) is an EU regulation that establishes a uniform framework for managing ICT (Information and Communications Technology) risks across the financial sector. Effective January 17, 2025, DORA applies to banks, insurance companies, investment firms, crypto-asset service providers, and critically, their ICT third-party service providers (including cloud providers). DORA moves beyond voluntary guidelines to create legally binding requirements for digital operational resilience, including ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing.
How It Works
DORA establishes five pillars of digital operational resilience:
Pillar 1: ICT Risk Management (Articles 5-16) Financial entities must establish and maintain comprehensive ICT risk management frameworks including:
- Identification and classification of all ICT assets and dependencies
- Protection measures (access control, encryption, network security)
- Detection capabilities for anomalous activities and ICT-related incidents
- Response and recovery procedures for ICT disruptions
- Learning and evolving from incidents and testing
- Communication plans for ICT-related incidents
Pillar 2: ICT-Related Incident Management (Articles 17-23) Mandatory incident classification, reporting, and management:
- Classify incidents by severity using standardized criteria (data loss, service degradation, geographic spread, criticality of services affected)
- Report major ICT incidents to competent authorities within strict timelines (initial notification within 4 hours, intermediate report within 72 hours, final report within 1 month)
- Voluntary reporting of significant cyber threats
Pillar 3: Digital Operational Resilience Testing (Articles 24-27) Regular testing requirements scaled by entity size and risk profile:
- All entities: vulnerability assessments, network security testing, gap analysis, physical security reviews, source code reviews, scenario-based testing, compatibility testing, performance testing
- Significant entities: Threat-Led Penetration Testing (TLPT) at least every 3 years, conducted by qualified external testers using frameworks like TIBER-EU
Pillar 4: ICT Third-Party Risk Management (Articles 28-44) Comprehensive governance of ICT service provider relationships:
- Maintain a register of all ICT third-party service provider arrangements
- Conduct due diligence before contracting and ongoing monitoring during the relationship
- Include specific contractual provisions (data location, audit rights, exit strategies, security requirements)
- Critical ICT third-party providers face direct oversight by European Supervisory Authorities (ESAs)
Pillar 5: Information Sharing (Article 45) Voluntary arrangements for sharing cyber threat intelligence and vulnerability information among financial entities, within GDPR and competition law boundaries.
Why It Matters
Financial services sit at the intersection of two realities: total dependence on technology and outsized consequences of failure. A bank's IT outage is not just an inconvenience; it disrupts payments, threatens market stability, and erodes public trust in the financial system.
Before DORA, EU financial sector cybersecurity requirements were fragmented across multiple directives and national regulations. DORA harmonizes these requirements into a single, directly applicable regulation. Key impacts:
- Cloud providers and SaaS vendors serving financial clients face direct regulatory oversight for the first time
- Third-party concentration risk is formally regulated, meaning financial entities cannot over-depend on a single cloud provider without governance measures
- Threat-led penetration testing (TLPT) becomes mandatory for significant institutions, requiring realistic attack simulations
- Incident reporting timelines are strict and standardized, requiring 4-hour initial notifications
The extraterritorial dimension matters: ICT service providers outside the EU that serve EU financial entities must comply with DORA's requirements or risk losing access to the EU financial market.
Real-World Applications
- Banks: Establish ICT risk management frameworks, register all third-party ICT providers, and conduct TLPT every three years for critical systems.
- Insurance Companies: Map ICT dependencies, implement incident classification and reporting workflows, and ensure business continuity for policyholder services.
- Cloud Service Providers: Prepare for direct oversight by European Supervisory Authorities if designated as critical ICT third-party providers.
- FinTech Startups: Even smaller financial entities must comply with proportionate ICT risk management requirements.
- Payment Processors: Implement resilience testing and incident reporting for payment infrastructure that processes billions in daily transactions.
CDA Perspective
DORA maps to CDA's Risk Governance & Assurance (RGA) domain under the Perpetual Compliance Assurance (PCA) methodology. For financial sector clients and their technology providers, DORA compliance is a market access requirement, not optional.
CDA's operational approach:
- M-RGA-R01 assesses current ICT risk management maturity against DORA's five pillars
- M-RGA-B02 designs compliant frameworks including incident classification, reporting workflows, and third-party risk registers
- M-RGA-H01 implements continuous compliance monitoring and evidence collection
- M-RGA-D01 conducts TLPT-aligned penetration testing for significant entities using TIBER-EU methodology
CDA's particular strength is Pillar 4 (third-party risk management). Under Zero Possession Architecture, CDA helps financial entities govern their ICT third-party relationships without creating additional concentration risk. We provide the framework; the client maintains control.
Key Takeaways
- DORA is a binding EU regulation for ICT risk management in the financial sector, effective January 2025
- Five pillars: ICT risk management, incident management, resilience testing, third-party risk, information sharing
- Applies to financial entities and their ICT service providers, including cloud vendors
- Critical ICT third-party providers face direct oversight by European Supervisory Authorities
- Incident reporting requires 4-hour initial notification for major ICT incidents
- TLPT (threat-led penetration testing) is mandatory for significant institutions every 3 years