DORA (Digital Operational Resilience Act)

Overview

The Digital Operational Resilience Act (DORA) was adopted by the European Union in December 2022 as part of a digital finance package to strengthen the financial sector's resilience to ICT-related incidents. DORA establishes a comprehensive framework for financial entities to manage digital operational risks, including those arising from third-party service providers.

The regulation directly addresses the increasing reliance of financial institutions on technology vendors and service providers, establishing uniform requirements for managing ICT third-party risk across the EU financial sector.

Status

Active - Entered into force January 2023, application starts January 2025

Jurisdiction

European Union

Regulatory Authority

European Supervisory Authorities (EBA, ESMA, EIOPA)

Penalties for Non-Compliance

Significant administrative penalties determined by national competent authorities

Key Requirements

Essential DORA provisions for third-party risk management

ICT Risk Management Framework

Financial entities must implement a sound, comprehensive, and well-documented ICT risk management framework as part of their overall risk management system. This framework must address third-party risk management specifically.

Risk Identification: Systematically identify ICT risks, including those from third-party providers
Protection and Prevention: Implement preventive security measures for third-party systems and connections
Detection: Capabilities to identify anomalous activities in third-party services
Response and Recovery: Plans for responding to and recovering from third-party incidents
Learning and Evolution: Continuous improvement of third-party risk controls
Communication: Strategies for communicating with stakeholders during incidents

ICT Third-Party Risk Management

DORA requires financial entities to manage risks arising from arrangements with ICT third-party service providers through comprehensive contractual provisions and ongoing oversight.

Pre-Contractual Analysis: Assess potential concentration risks and evaluate the provider's security measures
Contractual Requirements: Include specific provisions on data security, incident notification, audit rights, and termination
Exit Strategies: Develop and test transition plans to exit arrangements without undue disruption
Sub-Outsourcing: Manage risks from the entire service chain including sub-contractors
Testing: Periodic testing of critical ICT services, including those provided by third parties

Critical ICT Third-Party Providers (CTPPs)

DORA introduces a unique Oversight Framework for Critical ICT Third-Party Providers that are deemed systemically important to the EU financial system.

Designation Process: ESAs can designate ICT third-party providers as "critical" based on specific criteria
Direct Oversight: Critical providers fall under direct oversight of a designated ESA as Lead Overseer
Inspections and Recommendations: Lead Overseer can conduct inspections and issue recommendations
Annual Work Plans: CTPPs must submit to organizational, operational, and governance requirements
Penalties: Non-compliant CTPPs may face daily penalty payments and restrictions on providing services

ICT-Related Incident Management

Financial entities must establish and implement an ICT-related incident management process to detect, handle, and notify incidents, including those originating from or impacting third-party services.

Classification Process: Classify incidents based on established criteria
Early Detection: Implement controls to enable prompt identification of incidents
Incident Response: Procedures for containing and mitigating impact
Notification: Report significant incidents to competent authorities within specified timeframes
Root Cause Analysis: Determine underlying causes, including third-party contributions
Communication Plans: Protocols for communicating with users, counterparts, and the public

Digital Operational Resilience Testing

DORA mandates regular testing of ICT systems to evaluate preparedness for disruptions and identify vulnerabilities, including those in third-party connections.

Basic Testing: Periodic assessment of ICT systems and controls
Vulnerability Assessments: Regular scanning and security assessments
Scenario-Based Testing: Response to complex failure scenarios
Threat-Led Penetration Testing (TLPT): Advanced testing for significant financial entities
Third-Party Services: Testing must include critical functions provided by third parties

Implementation Guide

Practical steps for implementing DORA third-party risk management requirements

Inventory ICT Third-Party Providers

Create a comprehensive inventory of all ICT service providers, including details on:

Service scope and functionality
Data processed or accessed by the provider
Criticality classification (critical, important, non-material)
Integration points with internal systems
Geographical location of service provision

Enhance Contractual Frameworks

Update contracts with ICT third-party providers to include DORA-specific provisions:

Complete service descriptions with quality metrics (SLAs)
Data processing, protection, and location requirements
Incident notification obligations with specific timeframes
Comprehensive audit and access rights
Termination rights and exit assistance provisions
Sub-outsourcing restrictions and oversight mechanisms

Develop Robust Exit Strategies

Create comprehensive exit plans for each critical ICT provider that address:

Alternative service options and transition paths
Resource requirements for migration
Time required to execute a transition
Operational continuity during transition
Data retrieval, transfer, and destruction procedures
Success criteria for completed transitions

Implement Concentration Risk Management

Assess and mitigate ICT concentration risk through:

Identification of shared third-party dependencies
Assessment of concentration at provider and sector levels
Analysis of geographical concentration of services
Development of mitigation strategies for identified concentrations
Regular reporting to management on concentration risks

Incorporate Third Parties in Testing Programs

Extend digital operational resilience testing to include third-party services by:

Including third-party connections in vulnerability assessments
Testing response scenarios involving third-party outages
Validating backup and recovery procedures for third-party services
Conducting coordinated testing with critical providers where possible
Reviewing and testing exit strategies and transition plans

Prepare for CTPP Oversight

If your organization uses services from potential Critical ICT Third-Party Providers:

Monitor regulatory designations of CTPPs
Understand implications of your provider being designated as critical
Maintain awareness of Lead Overseer recommendations issued to your providers
Prepare for potential service changes resulting from oversight activities
Develop contingency plans for potential service restrictions

Additional Resources

Helpful materials for understanding and implementing DORA requirements

Official DORA Text

Full text of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector.

Access document

EBA DORA Implementation Guidelines

European Banking Authority's guidance on implementing DORA requirements for financial institutions.

Access document

DORA Readiness Assessment

Self-assessment tool to evaluate your organization's preparedness for DORA compliance.

Access tool

DORA Implementation Timeline

Detailed timeline of key dates and deadlines for DORA compliance activities.

View timeline

DORA Contract Checklist

Comprehensive checklist for ensuring ICT third-party contracts meet DORA requirements.

Download checklist

DORA Expert Webinar Series

Educational webinars featuring regulatory experts explaining DORA implementation.

Watch webinars

Cyber Score