Wider Implications

The goal of the EU-wide uniform legal framework for digital operational stability is to make sure that companies can react to ICT-related threats and interruptions. Cyber hazards are to be avoided or reduced in this way.

Management bodies would be completely accountable for their:

ICT risk management
Establishing and approving its DORA strategy
Approving policy in relation to the Third-party ICT service providers

Companies are challenged to increase their operational resilience capabilities and concentrate on being able to map and understand the relationship between their ICT assets, processes and systems and how they support service delivery.

Financial Entities

Significantly updated classification, notification, and reporting guidelines will put pressure on businesses to improve how they gather, analyse, escalate, and communicate information about ICT incidents and risks.

DORA requires that the impact of incidents and root cause analysis be assessed. Streamlining of ICT incident reporting is required by the framework and this will ease the strain of meeting various incident reporting standards in the financial sector and contribute to a better understanding of global cyber risks.

DORA requires that management develop redundant and sustainable systems to support their critical functions.

Penalties

Competent body can levy administrative penalties and remedial measures in case of any breach of the DORA regulations. However, the penalties for financial entities have not yet been set. For a maximum of six months, critical ICT third-party service providers will be subject to fi nes of up to 1% of their average daily worldwide turnover from the prior business year, imposed daily until compliance is achieved.

DORA Level 1 Regulations

DORA lays out several key requirements, referred to as level 1 regulations, to achieve its objectives. Described in the act itself, these requirements are discussed in the context of DORA’s five foundational pillars:

ICT Risk Management Requirements (Articles 5 to 16)

Governance: accountable management body
Risk management framework and associated activities (identification, protection, detection, response and recovery, learning and evolving, crisis communication)

ICT-Related Incidents Management, Classification, and Reporting (Articles 17 to 23)

Standardised incident classification
Compulsory and standardized reporting of major incidents
Anonymised EU-wide reports

Digital Operational Resilience Testing (Articles 24 to 27)

Risk-based and proportionate testing program
Large-scale threat tests performed by independent testers every 3 years

Information Sharing Arrangements (Article 45)

Encouraged to share threat information and intelligence

DORA Level 2 Regulations

The main text of DORA is supplemented by important technical detail in a body of secondary legislation, referred to as level 2 regulations. The three European supervisory authorities (ESAs) were jointly appointed to draft these technical standards. The ESAs consist of the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA).

These technical standards consist of two types: Regulatory technical standards (RTS), of which there are seven, and Implementation technical standards (ITS), of which there are two.

RTS on ICT risk management framework and on simplified ICT risk management framework
RTS on criteria for the classification of ICT-related incidents
RTS and ITS on content, timelines and templates on incident reporting
RTS on threat-led penetration testing (TLPT)
RTS to specify the policy on ICT services performed by ICT third-party providers
ITS to establish the templates for the register of information
RTS on subcontracting of critical or important functions
RTS on oversight harmonisation

Impact of DORA Compliance