top of page
  • Deborah

On 28 November 2022, the EU Council adopted the digital operational resilience for the financial sector (DORA).


On December 14, 2022, Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and Directive (EU) 2022/2556 as regards digital operational resilience for the financial sector were both published in the Official Journal of the EU.


DORA imposes obligations on both financial entities and ICT third-party service providers, including designated 'critical' ICT service providers (read our previous article here and here). It consolidates and upgrades firm's capacity to withstand Information Communication Technologies (ICT)-related disruptions and threats through, among others:

  • A sound ICT-risk management framework

  • The use and ongoing maintenance of appropriate and reliable ICT systems, protocols and tools

  • The identification, classification and adequate documentation of all ICT supported business functions, roles and responsibilities, as well as the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk

  • Protection and prevention through the continuous monitoring and control of the security and functioning of ICT systems and tools; the design and implementation of ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems.

  • Implementation of mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure

  • Implementation of a comprehensive ICT business continuity policy for timely response and recovery actions

  • Development and documentation of backup policies and procedures, restoration and recovery procedures and methods to ensure the restoration of ICT systems and data with minimum downtime, limited disruption and loss

  • Learning and evolving including capabilities and staff to gather information on vulnerabilities and cyber threats as well as ICT-related incidents. Post ICT-related incident reviews should also be put in place after the occurrence of a major ICT-related incident to help analyse the cause of the incident and identify the required improvement for the ICT operations.

  • Implementation of an ICT-related incident management process to detect, manage and notify ICT-related incidents

  • Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

  • Requirements for the performance of digital operational resilience testing (e.g. testing of ICT tools and systems…)

  • Management of ICT third-party risk


‘Financial entity’ is defined to include a broad range of entities such as investment firms, management companies, payment institutions, banks, insurance companies and investment firms and crypto asset service providers.


DORA will apply from 17 January 2025.



Recent Posts

See All

Information, Communication Technology (ICT) systems, generally includes all hardware, software, applications and systems that combined enable people and organizations to communicate digitally. ICT enc

25 January 2023 - Comments requested on Financial Conduct Authority (FCA) proposed Sustainability Disclosure Requirements (SDR) and investment labels. 6 February 2023 - Comment period closes for the u

Last November, 2022 the Bank for International Settlements (BIS) and the International Organization of Securities Commissions (IOSCO) published their Level 3 assessment of cyber resilience on 37 Finan

bottom of page