Achieve DORA Compliance by Tomorrow! Learn from our expert-led webinar on mastering DORA essentials
Search
Close this search box.

25 DORA Requirements Explained

Read Time: 9 minutes

Table of Contents

What Is the Digital Operational Resilience Act (DORA)? 

The Digital Operational Resilience Act (DORA) is a legislative framework established by the European Union to enhance the operational resilience of financial institutions against information and communication technology (ICT) risks. DORA aims to ensure that financial entities can withstand, respond to, and recover from ICT-related disruptions.

DORA introduces a series of requirements that aim to create a resilient digital financial ecosystem, capable of maintaining operational stability even in the face of significant ICT challenges.

In this article we’ll briefly review 25 key DORA requirements, based on the official text of Regulation (EU) 2022/2554: Digital Operational Resilience for the Financial Sector. 

This is part of a series of articles about DORA regulation

The requirements are organized according to the DORA regulation’s primary categories:

ICT Risk Management 

1. Establish and Maintain an ICT Risk Management Framework

An ICT risk management framework encompasses strategies, policies, procedures, ICT protocols, and tools necessary to protect all information and ICT assets. These assets include computer software, hardware, servers, data centers, and physical infrastructure. The framework ensures protection from damage and unauthorized access. 

Regular updates and improvements based on lessons learned from incidents and audits are essential. Financial entities must document and review this framework annually or after significant ICT incidents, submitting reports to competent authorities as required. The framework should include a digital operational resilience strategy outlining methods to address ICT risks, establish risk tolerance levels, set clear information security objectives, and implement digital operational resilience testing.

2. Regularly Assess and Document ICT Risks

Financial entities should continuously identify and assess all sources of ICT risk, including those from other financial entities and cyber threats. Regular risk assessments must be conducted, especially after major changes in network or system infrastructure. 

An inventory of information and ICT assets, including their configuration and interdependencies, should be maintained and periodically updated. This includes identifying dependencies on third-party ICT service providers and ensuring all critical processes are documented and mapped. The assessments should also cover legacy ICT systems to ensure they are up to date and resilient against modern threats.

3. Implement Protective and Preventative Measures to Mitigate Identified Risks

Protective measures should include sound network and infrastructure management, strong authentication mechanisms, and policies limiting access to necessary functions. Financial entities must use resilient and updated ICT systems to ensure the availability, authenticity, integrity, and confidentiality of data. 

Regular monitoring and control of ICT systems’ security and functioning are crucial to minimize risks. This includes having documented policies for information security, network management, access controls, and change management. These policies should ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented, and verified in a controlled manner.

4. Ensure a Consistent Approach to Risk Management Across All Operational Levels

ICT risk management responsibilities should be clearly assigned to avoid conflicts of interest. This includes segregating ICT risk management functions from control and audit functions. The management body should actively oversee the implementation and review of ICT policies, ensuring alignment with the entity’s overall business strategy and objectives. 

Regular internal audits and continuous improvement based on audit findings are necessary to maintain effectiveness. Moreover, a formal follow-up process should be established to verify and remediate critical ICT audit findings timely.

Incident Reporting

5. Implement Mechanisms for Immediate Detection and Reporting of ICT-Related Incidents

Financial entities must have mechanisms in place to promptly detect anomalous activities and ICT-related incidents. This includes multiple layers of control, automated alert systems, and clear criteria to trigger incident response processes. 

Regular testing of detection mechanisms is essential to ensure their effectiveness. Entities should also devote sufficient resources to monitor user activity and the occurrence of ICT anomalies, particularly cyber-attacks.

6. Report Significant ICT-Related Incidents to National Competent Authorities

Significant ICT-related incidents should be promptly reported to the relevant national competent authorities. Detailed procedures for incident escalation, forensic analysis, and internal and external communication must be established to manage the incident response effectively. 

These procedures should include criteria for determining the impact and severity of incidents, ensuring that major incidents are escalated and reported appropriately.

7. Maintain Detailed Records of Incidents, Including Their Effects and the Response Actions Taken

All ICT-related incidents and significant cyber threats must be recorded. Financial entities should document the root causes and effects of incidents, as well as the response actions taken. This documentation helps in preventing future incidents and improving the overall ICT risk management framework. 

Regular reviews and updates of these records are required to ensure accuracy. Post-incident reviews should determine the effectiveness of the response and identify areas for improvement.

Lanir Shacham
CEO, Faddom

Lanir specializes in founding new tech companies for Enterprise Software: Assemble and nurture a great team, Early stage funding to growth late stage, One design partner to hundreds of enterprise customers, MVP to Enterprise grade product, Low level kernel engineering to AI/ML and BigData, One advisory board to a long list of shareholders and board members of the worlds largest VCs

Tips from the Expert

In my experience, here are tips that can help you better adapt to the Digital Operational Resilience Act (DORA) requirements:

  1. Adopt a zero-trust architecture: Shift to a zero-trust security model where every access request is thoroughly verified, regardless of its origin, to minimize the attack surface and improve security posture.
  2. Establish a cyber resilience board: Form a dedicated cyber resilience board comprising senior executives and IT leaders to oversee and regularly review the organization’s digital resilience strategies and ensure alignment with business objectives.
  3. Integrate risk management with business strategy: Ensure that ICT risk management is not siloed but integrated into the broader business strategy, aligning risk appetite and tolerance with overall business goals.
  4. Conduct supplier audits and penetration tests: Regularly audit and perform penetration tests on third-party suppliers to ensure their security measures are robust and compliant with your organization’s standards.
  5. Develop a comprehensive recovery playbook: Create a detailed recovery playbook that includes step-by-step procedures for various disruption scenarios, ensuring swift and effective recovery while minimizing operational impact.


Digital Operational Resilience Testing

8. Conduct Regular Testing to Assess the Effectiveness of Digital Resilience Measures

Regular testing of digital resilience measures is crucial for identifying vulnerabilities and assessing the effectiveness of protective measures. This includes conducting business impact analysis, testing business continuity plans, and performing crisis communication drills. 

Testing should ensure that ICT systems and processes can withstand and quickly recover from disruptions.

9. Perform Vulnerability Assessments, Network Security Assessments, and Threat-Led Penetration Testing

Financial entities should perform various types of assessments, including vulnerability assessments, network security assessments, and threat-led penetration tests. These tests help in identifying weaknesses and improving the overall security posture. 

The frequency and scope of these tests should be commensurate with the entity’s size, complexity, and risk profile. Entities should design testing scenarios that simulate real-world cyber-attack conditions to evaluate their defenses effectively.

10. Adjust Testing Based on the Entity’s Size, Complexity, and Systemic Importance

The extent and frequency of digital operational resilience testing should be tailored to the financial entity’s specific characteristics. Larger and more complex entities may require more frequent and comprehensive testing compared to smaller entities. 

The proportionality principle ensures that testing is appropriate to the entity’s risk profile and operational scale. This approach ensures that entities maintain a high level of digital operational resilience without imposing undue burdens.

ICT Third-Party Risk Management

11. Manage Risks Associated with ICT Third-Party Service Providers, Including Cloud Services

Managing ICT third-party risk involves integrating this risk into the overall ICT risk management framework. Financial entities must ensure they remain fully responsible for all obligations under DORA and applicable financial services laws, even when contracting with third-party providers. The management of third-party risk should be proportionate to the nature, scale, complexity, and importance of ICT-related dependencies. 

This includes assessing the risks from contractual arrangements, considering the criticality of the service, and its potential impact on financial services’ continuity and availability. Financial entities should adopt and regularly review a strategy on ICT third-party risk, which includes policies on using ICT services for critical or important functions. This strategy should be applied at the individual, sub-consolidated, and consolidated levels.

12. Keep a Register of All ICT Third-Party Service Agreements

Financial entities must maintain and update a register of all contractual arrangements with ICT third-party service providers. This register should distinguish between contracts supporting critical or important functions and those that do not. 

Entities are required to report annually to competent authorities on new arrangements, the types of providers, and the ICT services and functions provided. They must also inform authorities in a timely manner about any planned contractual arrangement for critical or important functions or when a function becomes critical.

13. Ensure Contracts With ICT Service Providers Comply With Risk Management Requirements

Contracts with ICT third-party service providers must clearly define the rights and obligations of both parties. These contracts should include provisions for data protection, service levels, termination rights, and the ICT provider’s participation in the financial entity’s ICT security programs. 

Contracts must ensure that providers comply with information security standards and include clauses on cooperation with competent authorities. For critical or important functions, contracts should also include provisions for business continuity, ICT security measures, and the provider’s participation in threat-led penetration testing.

14. Monitor and Review Third-Party Performance and Compliance Continuously

Ongoing monitoring of third-party providers is essential. Financial entities must have the right to audit and inspect their ICT service providers and ensure cooperation during these audits. They should set and periodically review service level agreements to ensure compliance. In case of significant breaches or other issues, entities must have exit strategies to transition services smoothly without disrupting business activities. 

Regular reviews and updates to the risk management strategies and exit plans ensure that financial entities can manage dependencies and maintain operational resilience effectively.

Information Sharing

15. Share Cyber Threat Information and Intelligence with Other Financial Entities

Sharing cyber threat intelligence is crucial for enhancing digital operational resilience. Financial entities are encouraged to exchange information on threats, vulnerabilities, and incidents within trusted communities. This sharing aims to raise awareness, limit the spread of cyber threats, and support collective defense mechanisms. Effective information-sharing arrangements must protect sensitive information and comply with data protection regulations.

16. Participate in Information-Sharing Arrangements to Enhance Sector-Wide Resilience

Financial entities should participate in information-sharing arrangements to leverage collective knowledge and experience. These arrangements should involve clear rules for participation, including the roles of public authorities and third-party providers. 

Entities must notify competent authorities about their participation in such arrangements, ensuring transparency and enhancing sector-wide resilience against cyber threats.

Governance and Control

17. Ensure Senior Management Is Accountable for ICT Risk Management

Senior management in financial entities holds ultimate responsibility for ICT risk management. They must define, approve, oversee, and be responsible for implementing all ICT risk management arrangements. This includes setting policies to ensure high standards of data availability, authenticity, integrity, and confidentiality. 

Senior management must also establish clear roles and responsibilities for ICT-related functions and regularly review the digital operational resilience strategy and ICT business continuity plans.

18. Set Up a Management Body Responsible for Overseeing ICT Risk Management

A dedicated management body should be established to oversee the ICT risk management framework. This body is responsible for setting and approving the digital operational resilience strategy, defining risk tolerance levels, and ensuring alignment with the overall business strategy. 

Regular internal audits and continuous improvements based on audit findings are necessary to maintain effectiveness and compliance.

19. Integrate Digital Resilience Into Business Continuity and Crisis Management Plans

Financial entities must incorporate digital operational resilience into their business continuity and crisis management plans. This includes developing ICT business continuity policies, conducting business impact analyses, and implementing ICT response and recovery plans. 

Regular testing and updating of these plans ensure that entities can quickly and effectively respond to and recover from ICT-related disruptions, minimizing impact and ensuring continuity of critical operations.

Audit and Testing

20. Regular Audits of the ICT Risk Management Processes

To maintain ICT risk management, financial entities must conduct regular internal and external audits. Internal auditors should possess sufficient knowledge, skills, and expertise in ICT risk, and maintain independence to avoid conflicts of interest. 

The frequency and focus of ICT audits should be proportionate to the ICT risk profile of the financial entity. External auditors can also be engaged to provide an additional layer of scrutiny, ensuring evaluation and validation of the ICT risk management framework.

21. Use Both Internal and External Auditors for Evaluation

Financial entities may outsource the task of verifying compliance with ICT risk management requirements to intra-group or external undertakings. However, they remain fully responsible for ensuring compliance. Internal audits should follow the entity’s audit plan and be conducted regularly, while external auditors can provide an unbiased assessment. 

This dual approach ensures a thorough evaluation of the ICT risk management processes, addressing potential weaknesses and implementing necessary improvements.

Contractual Standards

22. Implement Standard Contractual Clauses for ICT Service Arrangements, Particularly for Cloud Computing

To ensure consistency and legal certainty, financial entities should use standard contractual clauses when entering into ICT service arrangements, particularly for cloud computing services. 

These clauses should cover aspects such as data protection, service levels, termination rights, and the obligations of ICT service providers. The use of standard clauses simplifies contract management and ensures compliance with regulatory requirements.

23. Ensure Contracts Allow for Effective Monitoring and Control Over ICT Service Delivery

Contracts with ICT service providers must include provisions that enable financial entities to effectively monitor and control the delivery of services. This includes rights for access, inspection, and audit, as well as requirements for regular reporting on service performance and security measures. 

Such provisions are critical for ensuring that ICT services meet the necessary standards and for identifying and addressing potential issues promptly.

Exit Strategies

24. Develop Strategies for the Orderly Termination of ICT Services, Ensuring Continuity of Critical Functions

Financial entities must develop exit strategies to manage the orderly termination of ICT services. These strategies should ensure that critical functions remain uninterrupted during the transition. 

Key components include identifying alternative providers, planning for the migration of services and data, and maintaining business continuity throughout the process. Regular testing and updates to these strategies are essential to ensure their effectiveness in the event of termination.

25. Include Mandatory Transition Periods in ICT Contracts to Mitigate Service Disruptions

ICT contracts should include mandatory transition periods during which the service provider continues to deliver services, allowing the financial entity sufficient time to transition to a new provider or to bring the services in-house. This reduces the risk of service disruptions and ensures a smooth transition. 

The contract should also specify the responsibilities of the ICT service provider during the transition period, including support for data transfer and system integration.

Preparing for DORA Compliance with Faddom

Compliance starts with visibility. Faddom visualizes your on-premises and cloud infrastructure in as little as one hour without agents. It maps all your servers and business applications instantly and in real-time, highlighting their interdependencies.

  • Faddom is agentless and doesn’t require credentials
  • It is cheap, starting at $10K/year
  • Map the entire environment in real-time, updating 24/7
  • Quick: One person can map the entire organization in an hour

Learn more about Faddom for IT audits and compliance or start a free trial to the right

Map All Your Servers, Applications, and Dependencies in 60 Minutes

Document your IT infrastructure both on premises and in the cloud.
No agents. No open firewalls. Can work offline.
FREE for 14 days. No credit card needed.

Share this article

Rate this Article

Click on a star to rate it!

Average rating 5 / 5. Vote count: 7

No votes so far! Be the first to rate this post.

Want to read more about DORA Regulation?

Map Your Infrastructure Now

Simulate and plan ahead. Leave firewalls alone. See a current blueprint of your topology.

Try Faddom Now!

Map all your on-prem servers and cloud instances, applications, and dependencies
in under 60 minutes.

Get a 14-day FREE trial license.
No credit card required.

Try Faddom Now!

Map all your servers, applications, and dependencies both on premises and in the cloud in as little as one hour.

Get a FREE, immediate 14-day trial license
without talking to a salesperson.
No credit card required.
Support is always just a Faddom away.