The Digital Operational Resilience Act

The financial services sector’s heavy reliance on IT exposes entities to heightened risks of cyberattacks and operational disruptions stemming from intricate system, process, and human factors—risks that will only intensify as technology continues to expand across all facets of the industry. To address these emerging risks, the European Union adopted the Digital Operational Resilience Act (DORA) in January 2023, aiming at enhancing the digital operational resilience of information and communication technology (ICT) systems, designed to protect financial institutions from ICT risks.

DORA focuses on enhancing the resilience of information and communication technology systems in the financial sector, including everything from data storage to network security. The regulation will be applicable as from the 17th of January 2025 and all affected entities must meet DORA’s requirements by that date.

Key provisions of DORA

The absence of uniform rules on digital operational resilience across the financial services sector is why DORA applies to almost all financial entities. This includes both traditional financial institutions, like banks and insurers, as well as newer financial players, such as crypto-asset service providers and crowdfunding platforms. This broad scope reflects the increasing reliance on the technology, across the financial services sector, as well as the need for a unified regulatory approach.

More specifically, DORA applies, among others, to:

      1. credit institutions, payment institutions, account information service providers, electronic money institutions;
      2. investment firms, central securities depositories, central counterparties, trading venues, trade repositories and data reporting service providers;
      3. crypto-asset service providers as authorised under MICAR and issuers of asset-referenced tokens;
      4. managers of alternative investment funds and management companies;
      5. insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
      6. crowdfunding service providers;
      7. securitisation repositories;
      8. ICT third-party service providers. 

To assist financial entities to enhance their digital operational resilience, DORA imposes rules and obligations focusing on certain pillars.

      1. ICT Risk Management and Third – Party Risk

DORA imposes the full responsibility and accountability on the management body of the financial entity to establish and maintain internal governance and control protocols ensuring the effective and prudent management of ICT risk. This pillar focuses on the protection and prevention, the detection and the response and recovery for ICT related incidents. It is important to note that the tools, methods, processes, and policies are subject to specific regulatory technical standards to be adopted by the designated European Union authorities.

Further, since in practice financial entities rely on third-party service providers for critical ICT services and infrastructures, this pillar mandates a comprehensive approach to managing these third-party risks. This includes due diligence processes and regular assessments, ensuring that any potential risk deriving from engaging third parties does not compromise the resilience of the financial entity.

      1. Digital Operational Resilience Testing

As part of the ICT-risk management framework mentioned above and with the aim to assess the readiness of the financial entities to handle ICT-related incidents, identify weaknesses and to implement corrective measures, financial entities must establish and maintain a comprehensive digital operational resilience testing programme, including a range of assessments, tests, methodologies, practices, and tools. The testing methodologies may involve vulnerability assessments, scenario-based tests, and penetration tests.

      1. ICT related incidents

This pillar mandates the development of mechanisms for early detection and management of ICT-related incidents, according to which the financial entities must establish incident response and recovery plans to quickly address and mitigate the impact of ICT disruptions. This includes requirements for timely reporting of significant cyber incidents to regulatory authorities, which helps to understand emerging threats.

      1. Information sharing

DORA encourages the collaboration and information sharing between the financial entities. This pillar promotes the exchange of information related to cyber threats, vulnerabilities, and incidents in order to enhance the ability of the financial entities to be prepared and respond to cyber threads or other technical vulnerabilities that may arise.

      1. Oversight of critical ICT third-party service providers

Recognizing the systemic risks posed by the failure of major ICT service providers, this pillar establishes a framework for the regulatory oversight of such entities. It aims to ensure that critical service providers adhere to strict resilience standards, minimizing the risk they pose to the financial sector. Oversight mechanisms may include regulatory assessments, audits, and the ability for authorities to intervene directly if necessary.

 Why is DORA relevant and important?

Due to the increasing dependence on digital technologies, financial services entities are exposed to cybersecurity threats and operational disruptions. By moving forward to more sophisticated technology models, financial entities are exposed to risks associated with system failures, cyberattacks, and third-party service provider vulnerabilities become more apparent. Therefore, DORA represents a critical regulatory development aiming to mitigate these risks by establishing comprehensive, uniform standards for digital operational resilience.

DORA is important especially for its provisions for robust risk management practices, including ICT resilience testing, third-party oversight, and incident reporting. These measures are designed to safeguard financial institutions against the increasing frequency and severity of cyber incidents and operational disruptions.

While DORA’s benefits are clear, its implementation may present challenges, particularly for smaller institutions and emerging firms. These entities may struggle with the high costs of compliance, including the need for significant investments in cybersecurity infrastructure and ongoing monitoring efforts.

Nevertheless, DORA’s implementation represents a necessary evolution in financial regulation, one that aligns with the emerging digital threats. By establishing a unified approach to digital resilience, DORA not only mitigates the risk of large-scale disruptions but also establishes a more secure and trustworthy financial ecosystem,

How can Kinanis Law Firm and TDVG assist

A unique combination of business and technology expertise

Bringing together deep business insights with cutting-edge technology know-how, Kinanis LLC and TDVG deliver solutions that drive real impact. This unique blend allows clients to implement tailored, innovative strategies that enhance efficiency, compliance and growth.

Legal services

In anticipation of the implementation date of DORA, being the 17th of January 2025, our company is equipped to provide you with guidance regarding the risk management strategies, supporting the integration of robust cybersecurity measures and to assist you during the navigation of this complex regulatory landscape.

Technology services

TDVG, in cooperation with Kinanis LLC, has implemented a robust framework for third-party risk management that incorporates both the “Contracts Management 360” and “Know-Your-Counterparty Pro” applications. This comprehensive solution, delivered on a secure Oracle Cloud platform and governed to ensure security, auditability and compliance, is designed to enhance control and oversight in managing third-party relationships. It provides an end-to-end approach to systematically identify, document and mitigate contractual and counterparty risks.

Through this collaboration, TDVG and Kinanis LLC offer an integrated approach to third-party risk management that aligns with regulatory standards and supports operational resilience.

Authors: Savvina Miltiadou and Thrasos Thrasyvoulou

More from KINANIS LLC