Извините, этот текст доступен только на “en” и “ua”.
On January 17, 2025, the Digital Operational Resilience Act (Regulation (EU) 2022/2554) or DORA (Digital Operational Resilience Act) entered into force. The DORA focuses on information and communications technology (ICT) risk management by introducing strict rules for ICT risk management, incident reporting, operational resilience testing, and third-party ICT risk oversight.
Prior to the adoption of DORA, financial institutions mainly managed operational risks by allocating capital to cover potential losses. Such an approach did not cover all aspects of operational resilience, especially with regard to ICT-related risks.
The Regulation acknowledges that ICT-related incidents and a lack of operational resilience can threaten the stability of the entire financial system, even if “adequate” capital is allocated to traditional risk categories. The DORA fills this gap by ensuring that operational resilience is not just about financial buffers, but the ability to withstand and recover from ICT failures.
Who is covered?
The DORA applies to all financial institutions in the EU. This applies to both traditional financial institutions, such as banks, investment organizations, and credit institutions, and non-traditional ones, such as cryptocurrency service providers and crowdfunding platforms.
Note that the DORA also applies to certain entities that are not normally subject to financial legislation. For example, third-party service providers that provide ICT systems and services to financial institutions, such as cloud service providers and data centers.
Main aspects of DORA
The DORA sets requirements in the following areas:
- ICT risk management
- ICT-related incident management, classification, and reporting
- Digital operational resilience testing
- Managing ICT third-party risk
- Information-sharing arrangements
The DORA requirements will be applied proportionately, which means that smaller organizations will not be held to the same standards as large financial institutions. Although the draft technical regulatory standards and their implementation for each area are still under development, the current DORA legislation provides some insight into the general requirements.
What is generally required for DORA compliance?
Key steps to help achieve compliance:
- The main thing is to assess compliance with DORA controls.
- Establish (or maintain, if available) an ICT risk management process.
- Ensure that service providers understand their responsibilities under DORA.
- Implement strong cybersecurity measures to comply with DORA, which can create a more secure environment for sensitive financial data.
- Regularly conduct the process of identifying and analyzing ICT vulnerabilities.
- Develop procedures for managing and reporting information security incidents.
- Implement information sharing, which may include information on current attack methods and ways to prevent their implementation.
Financial penalties for non-compliance with DORA requirements
The DORA imposes financial sanctions that depend on the severity and nature of the violation. Financial institutions found to be in violation may be fined up to 2% of their total annual global turnover or 1% of their average daily turnover worldwide. For individuals, fines can reach up to EUR 1,000,000.
For critical third-party ICT providers, even higher fines are imposed if they do not comply with DORA:
- for Companies up to EUR 5,000,000;
- for individuals — 500,000 euros.
By comparison, these fines are more severe than those provided for in some regulations, such as the GDPR.
