DORA Regulations

DORA Regulations

The DORA (Digital Operational Resilience Act) Regulation is applicable to financial institutions and their ICT service providers. Its purpose is to achieve a common level of digital operational resilience by establishing uniform requirements for the security of networks and information systems.

It affects, among others: credit institutions, payment institutions, electronic money institutions, investment services, crypto-asset services, alternative investment fund managers, insurance companies, credit rating agencies, etc., as well as their ICT providers.

Among its main duties are:

• Governance and risk management framework: requires the involvement of senior management in decision-making in the area of cybersecurity and cyber-resilience; the determination of strategies, policies and procedures in this area, as well as the supervision of the corresponding periodic audits.
• Digital operational resilience strategy: requires the establishment of objectives and indicators, incident detection and response mechanisms, as well as digital operational resilience testing.
• Implementation of measures throughout the cycle: requires the implementation of cybersecurity and cyber resilience measures at all stages: risk identification, implementation of controls, detection of anomalous activities and appropriate management of cyber incidents.
• ICT risk management derived from third parties: requires managing the risk associated with the organization’s relevant ICT suppliers, the signing of robust contracts with them, as well as certain reporting obligations to the supervisory authority.

In addition, it should be noted that penalties for non-compliance with the DORA Regulation can be up to EUR 15 million or 10% of the total annual turnover, whichever is higher.