What is DORA ?

What is DORA ?

DORA is an European Union (EU) regulation on digital operational cybersecurity and resilience focused on financial sector.

What does DORA stand for ?

The name DORA stands for Digital Operational Resilience Act.

When was it published and when will be applied?

It was published in December 2022 and applies starting January 17, 2025.

Why was such a regulation like DORA emerged ?

DORA emerged as a proactive measure to the digital revolution in the financial organizations that triggered an increase in cyber-threats and incidents related with Information Systems risking  the stability of financial sector.

Where can I find the documentation for DORA ?

The main regulation document can be found EU’s web site under EU laws under the link https://eur-lex.europa.eu/eli/reg/2022/2554/oj

How is DORA structured ?

DORA documentation is organized into eighth chapters, whereas chapters 2 and 5 into two sections and chapters into several articles.

What are the names of the chapters and sections ?

Chapter I - General provisions

Chapter II - ICT risk management

              Section 1 : Governance and Organization

              Section 2 : ICT Risk Management Framework

Chapter III - ICT-related incident management, classification and reporting

Chapter IV - Digital operational resilience testing

Chapter V - Managing of ICT third-party risk

Section 1 : Key principles for a sound management of ICT third party risk

              Section 2 : Oversight framework of critical ICT third party service providers

Chapter VI - Information-sharing arrangements

Chapter VII - Competent authorities

Chapter VIII - Delegated acts

Chapter IX - Transitional and final provisions

What type of documentation is needed to implement DORA ?

-          Technical Regulatory Standards (RTS)

-          Implementing Regulatory Standards (ITS)

-          Guidelines

Is there a penalty in case of noncompliance ?

Yes. There is different kind of penalties that the organizations face in case of noncompliancy

-          Financial entity may be issued an order requiring them to cease conduct that breaches the regulation temporarily or permanently

-          Monetary fines can be applied to the organization

-          The organization’s identity can be disclosed detailing the nature of the breach

Who must comply with DORA regulation

DORA applies to almost all financial entities in all EU countries and their Information Technology service providers