Digital Operational Resilience Act (DORA)

Navigate DORA with Confidence with BDO Malta.

Digital Operational Resilience Act (DORA)

The objective of DORA is to improve the cybersecurity and operational resilience of all regulated European financial institutions and of critical, third-party ICT service providers.

 

Objectives of DORA

The Digital Operational Resilience Act establishes a unified set of requirements for the security of network and information systems of companies and organisations operating in the financial sector, as well as third parties that provide ICT-related services to them (e.g., cloud platforms or data analytics services).

In addition, DORA establishes a regulatory framework on digital operational resilience, where all firms need to ensure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The requirements are the same across all EU member states, as they aim to prevent and mitigate the growing number of cyber threats.
 

“To strengthen the ICT security and resilience of financial entities in Europe in the face of a severe operational digital disruption, and harmonise the rules for operational resilience across the European financial sector.” (ESMA)



Responsibility for DORA Compliance

Overall, responsibility for this framework, and other governance obligations imposed by DORA, will rest on the firm’s management, which will be responsible for reviewing, approving, implementing and updating the risk management framework.

Management will be required to have full awareness and understanding of the financial institution’s ICT usage, services and risk profile. Companies may want to assess how reporting lines from their ICT department to senior management actually operate on a daily basis. The financial institutions that are subject to DORA must appoint a senior executive responsible for digital operational resilience and report incidents to the appropriate authorities


Board responsibility for DORA Compliance - Art. 5 (2)


 

 

DORA Main Obligations

Organisations must identify, assess, and continuously monitor the risks posed by their third-party service providers to ensure operational resilience and compliance with DORA.

Major incidents must be reported within 4 hours as an initial notification, and the following intermediate report must be submitted within 72 hours to the relevant supervisory authority.

Organisations must perform tests to demonstrate the effectiveness of the implemented technical and non- technical cybersecurity measures.

Organisations must conduct a risk analysis and implement appropriate measures to secure their network and information systems conform the DORA Regulatory Technical Standards. These measures must be approved and overseen by the organisation’s management.

Members of the management bodies of entities must approve security measures and oversee their implementation. To this end, they are also required to undergo mandatory training.

Want to know more? Get in touch with our Technology Team

DORA Compliance: Key contacts

Our Technology experts can assist you with DORA Compliance

Ivan Spiteri Director Technology BDO Malta

Ivan Spiteri

Director of Technology Advisory & Assurance
View bio
DORA Compliance Program

DORA Compliance: Our BDO Solution

Our Technology experts can help you with a DORA Compliance program
Learn more