top of page
  • Writer's pictureDeborah

On 28 November 2022, the EU Council adopted the digital operational resilience for the financial sector (DORA).

DORA imposes obligations on both financial entities and ICT third-party service providers, including designated 'critical' ICT service providers (read our previous article here and here). It consolidates and upgrades firm's capacity to withstand Information Communication Technologies (ICT)-related disruptions and threats through, among others:

  • A sound ICT-risk management framework

  • The use and ongoing maintenance of appropriate and reliable ICT systems, protocols and tools

  • The identification, classification and adequate documentation of all ICT supported business functions, roles and responsibilities, as well as the information assets and ICT assets supporting those functions, and their roles and dependencies in relation to ICT risk

  • Protection and prevention through the continuous monitoring and control of the security and functioning of ICT systems and tools; the design and implementation of ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems.

  • Implementation of mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and to identify potential material single points of failure

  • Implementation of a comprehensive ICT business continuity policy for timely response and recovery actions

  • Development and documentation of backup policies and procedures, restoration and recovery procedures and methods to ensure the restoration of ICT systems and data with minimum downtime, limited disruption and loss

  • Learning and evolving including capabilities and staff to gather information on vulnerabilities and cyber threats as well as ICT-related incidents. Post ICT-related incident reviews should also be put in place after the occurrence of a major ICT-related incident to help analyse the cause of the incident and identify the required improvement for the ICT operations.

  • Implementation of an ICT-related incident management process to detect, manage and notify ICT-related incidents

  • Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

  • Requirements for the performance of digital operational resilience testing (e.g. testing of ICT tools and systems…)

  • Management of ICT third-party risk

‘Financial entity’ is defined to include a broad range of entities such as investment firms, management companies, payment institutions, banks, insurance companies and investment firms and crypto asset service providers.

DORA will apply from 17 January 2025.

Recent Posts

See All

Product Corner - VAs : Quèsaco

Virtual Assets (VAs) or crypto assets refer to : “any digital representation of value that can be digitally traded, transferred or used for payment. It does not include digital representation of fiat

Upcoming Regulatory Deadlines to Watch

10 Aug 2023 - Deadline to submit comments to FCA Guidance Consultation (GC23/1) on crypto asset financial promotions. 5 Sep 2023 - Effective date of SEC Cybersecurity Risk Management, Strategy, Govern


bottom of page