Rob Behnke
July 11th, 2023
The Digital Operational Resilience Act (DORA) is part of the EU’s package of bills named the Digital Finance Package (DFP). Other components of this package include the Digital Finance Strategy and Markets in Crypto Assets (MiCA).
The purpose of DORA is to improve the resiliency of the financial sector against potential disruptions to information and communications technology (ICT). DORA goes into full effect in Q1 2025 and impacts financial services providers and the organizations that provide services to them.
DORA’s requirements are broken out into five service areas, including:
Risk Management: Financial organizations are required to establish comprehensive ICT risk management frameworks and address potential ICT risks at the management level.
Incident Reporting: This service area expands incident classification and reporting guidelines, using provided criteria and templates to report to regulators and providing initial, intermediate, and final reports to users and clients.
Resilience Testing: The risk management frameworks and strategies developed as part of the first service area are required to undergo regular testing to ensure that they adequately manage known risks and to identify potentially overlooked or insufficiently addressed risks.
Third-Party Risk: This section of DORA addresses relationships with third-party service providers, including ensuring that these providers manage risk and comply with DORA’s requirements.
Information Sharing: DORA encourages the sharing of threat intelligence within the financial sector, including identifying information that can be safely shared and developing processes to distribute and use it to more rapidly detect and remediate cyber risks.
DORA’s primary objective is to ensure that organizations operating within the EU financial sector – either directly or indirectly – have adequate controls in place to ensure operational resiliency.
Some of the key steps that organizations must take to ensure compliance before the 2025 deadline include:
Implement Risk-Centric Resiliency Management: DORA places the focus on potential risks to an organization and its operational resiliency, including identifying risks and developing and testing strategies and frameworks for managing them.
Perform a Risk Assessment: To prepare for DORA compliance, an organization should perform an initial risk assessment to identify potential gaps between existing risk management controls and the level expected by DORA.
Develop Risk Management Frameworks: Based on the results of the risk assessment and DORA requirements, financial services organizations should develop strategies for managing risk and ensuring digital resiliency.
Align with Regulators’ Expectations: DORA defines new rules for classifying and reporting risk. Organizations should update procedures to use the new classification systems and templates required by regulators.
Prepare for Changes: DORA is the latest bill in the DFP. As this package evolves, additional regulations may come into play, or the requirements outlined in DORA may be updated.
DORA is focused on the financial sector and ensuring its operational resiliency. However, the presence of MiCA in the same package indicates that the EU is treating crypto as part of the greater financial industry.
Companies offering crypto assets will likely be subject to the same requirements as their counterparts in traditional finance (TradFi). DORA’s requirements for service providers also may extend to the infrastructure used to support these assets (i.e. the blockchain).
DORA is one component of the EU’s Digital Finance Package, which is designed to modernize the EU financial industry’s approach to risk management. Even if blockchain companies are not explicitly required to comply with the required controls at this time, doing so is best practice and may help with compliance in the future.
To learn more about the EU’s stance on crypto assets, check out our overview of MiCA, or read our guide to ISO 20022 and MiCA for cybersecurity pros. For help in improving your project’s risk management processes, get in touch.