DORA (Digital Operational Resilience Act) is the European regulation requiring the financial sector to ensure its operational resilience against digital risks. Unlike a directive, a regulation applies directly, without national transposition.
What is DORA?
DORA aims to harmonize information and communication technology (ICT) risk management across the European financial sector. The goal: ensure financial entities can withstand, respond to and recover from any ICT-related incident.
Who is concerned?
- ✓Financial entities: banks, insurers, investment firms, payment institutions, crypto-asset service providers…
- ✓Critical ICT third-party providers (cloud, hosting, software) serving them, now placed under oversight.
The 5 pillars of DORA
- ✓ICT risk management: governance, identification, protection, detection and response.
- ✓Management and reporting of major ICT-related incidents.
- ✓Digital operational resilience testing, including advanced testing (TLPT) for the most critical entities.
- ✓ICT third-party risk management (contracts, monitoring, exit strategy).
- ✓Cyber threat information sharing between financial entities.
The sensitive point: ICT providers
DORA requires a precise mapping of your critical providers and strict contractual clauses. It is often the most underestimated work.
How to become compliant?
- ✓Run a gap analysis against the 5 pillars.
- ✓Strengthen ICT risk governance and involve the management body.
- ✓Map critical ICT providers and revise contracts.
- ✓Set up resilience testing and incident notification mechanisms.
DORA requires a cross-functional approach at the intersection of cybersecurity, risk and legal. Structured support helps avoid blind spots, especially across the ICT subcontracting chain.
Go further
Compliance →