Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) is an EU regulation aimed at ensuring the financial sector can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It establishes uniform requirements for cybersecurity, incident reporting, testing, and third-party risk management. DORA seeks to enhance the resilience of financial entities by setting standards for ICT risk management and mandating robust oversight of critical third-party service providers, thereby promoting financial stability and consumer protection within the EU.
Pillars of DORA
- ICT Risk Management
- ICT Incident Management
- Digital Operational Resilience Testing
- ICT Third-Party Risk
- Information Sharing
ICT Risk
ICT risk refers to the potential for loss or damage due to failures, vulnerabilities, or threats within information and communication technology systems. This includes cyberattacks, system malfunctions, data breaches, and other disruptions that can compromise data integrity, availability, and confidentiality.
ICT-related incident
ICT-related incidents are unplanned events that compromise the security of the network and information systems. They can have an adverse impact on the availability, authenticity, integrity and confidentiality of data, or on the services provided by a firm.
Critical or Important Function
A Critical or Important Function is a function, the disruption of which would materially impair the -
- financial performance of a firm
- soundness / continuity of its services and activities
- continuing compliance
Register of Information
The Register of Information is a comprehensive record that must capture detailed information relating to all contractual arrangements with third-party ICT service providers and on the use of those services. The Register must distinguish between arrangements that support Critical or Important functions and those that do not. Firms will be obliged to make their full Register of Information available to the competent authority on request.
Third Party Oversight
Third-party oversight involves monitoring and managing external vendors or service providers to ensure that they comply with contractual obligations, regulatory requirements, and internal standards. Its aim is to mitigate risks associated with outsourcing and maintain the quality, security, and reliability of services and products provided by third parties.
Regulatory Technical Standard (RTS)
A Regulatory Technical Standard (RTS) is a type of regulatory instrument used in the European Union (EU) to provide detailed technical specifications for the implementation of certain aspects of the Digital Operational Resilience Act (DORA).
European Supervisory Authorities (ESAs)
The European Supervisory Authorities (ESAs) are three agencies established under the European system of financial supervision with a mandate to develop and implement a common regulatory framework and foster a consistent and effective approach to financial supervision in the EU. The ESAs are -
- The European Securities and Markets Authority (ESMA)
- The European Banking Authority (EBA)
- The European Insurance and Occupational Pensions Authority (EIOPA)
Proportionality Principle
In the context of the Digital Operational Resilience Act (DORA), the proportionality principle refers to the requirement that the measures and controls implemented by firms to ensure resilience are commensurate with the nature, scale, and complexity of their operations. This means that smaller or less complex firms may, depending on risk factors, adopt simpler, less burdensome measures, while larger or more complex firms are expected to implement more robust and comprehensive controls. This principle ensures that regulatory requirements are applied in a balanced manner, avoiding a one-size-fits-all approach and ensuring that all firms can effectively manage their ICT risk.