Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) is a European regulation that aims to ensure that financial organisations have better control of IT risks and are thus more resilient to cyber threats. DORA has been in effect since January 2023 and supplements existing legislation of NIS and the GDPR.
Companies have until 17 January 2025 to comply with the Regulation. Some companies are already subject to DORA-related requirements under existing laws and regulations.
Objective
DORA sets requirements in areas such as IT risk management, IT incidents, periodic testing of digital resilience and the control of risks in outsourcing to critical third-party providers. These take account of the size, risk profile and systemic importance of individual organisations. Microenterprises, for example, are exempt from various parts of the Regulation, while for Chapter II of DORA (‘ICT risk management’) a simplified framework has been developed for certain types of licence.
There are also two additional effects that contribute to the resilience of financial institutions. First, DORA is intended to improve the security of the supply chain, as it includes a framework that will apply to the most critical ICT service providers for the financial sector. Finally, the Regulation also has provisions on information exchanges, enabling financial institutions to exchange information and intelligence on cyber threats and thereby further limit the risks.
Contact
If you have any questions about our supervision based on DORA, please contact our Business Desk.
RTS and ITS
In addition to the requirements described in the regulation, a number of topics are further elaborated in a Regulatory Technical Standard (RTS) or Implementation Technical Standard (ITS).
Publications
In the run-up to the entry into force of DORA, the AFM regularly shares informative updates and other publications in preparation for companies.