The objective of DORA is to improve the cybersecurity and operational resilience of all regulated European financial institutions and of critical, third-party ICT service providers.

Objectives of DORA

The Digital Operational Resilience Act establishes a unified set of requirements for the security of network and information systems of companies and organisations operating in the financial sector, as well as third parties that provide ICT-related services to them (e.g., cloud platforms or data analytics services).

In addition, DORA establishes a regulatory framework on digital operational resilience, where all firms need to ensure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. The requirements are the same across all EU member states, as they aim to prevent and mitigate the growing number of cyber threats.
 

“To strengthen the ICT security and resilience of financial entities in Europe in the face of a severe operational digital disruption, and harmonise the rules for operational resilience across the European financial sector.” (ESMA)

Responsibility for DORA Compliance

Overall, responsibility for this framework, and other governance obligations imposed by DORA, will rest on the firm’s management, which will be responsible for reviewing, approving, implementing and updating the risk management framework.

Management will be required to have full awareness and understanding of the financial institution’s ICT usage, services and risk profile. Companies may want to assess how reporting lines from their ICT department to senior management actually operate on a daily basis. The financial institutions that are subject to DORA must appoint a senior executive responsible for digital operational resilience and report incidents to the appropriate authorities

Board responsibility for DORA Compliance - Art. 5 (2)