Strengthening IT Security in the Financial Sector

The Regulation of the European Parliament and Council on Digital Operational Resilience for the Financial Sector (DORA) is an EU regulation that came into force on January 16, 2023, and will apply from January 17, 2025. It aims to enhance the IT security of financial entities—such as banks, insurance companies, and investment firms—ensuring that the European financial sector remains resilient in the face of major operational disruptions.

Scope and Coverage

DORA standardizes operational resilience requirements across 20 types of financial institutions, as well as third-party ICT service providers. Covering over 22,000 financial entities and ICT service providers across the EU, the regulation introduces specific and mandatory requirements for all financial market participants, including:

• Banks, investment firms, and insurance/reinsurance companies
• Intermediaries, crypto-asset providers, and cloud service providers
• Critical ICT third parties offering services such as cloud computing, data analytics, and auditing

DORA establishes a Union-wide supervisory framework for critical third-party ICT providers, ensuring consistent oversight across EU Member States.

Core Framework: The Main Pillars of DORA

1. ICT Risk Management

Financial institutions must implement a robust ICT risk management framework, which includes:

• Maintaining resilient ICT systems that minimize disruptions
• Identifying and mitigating ICT risks on an ongoing basis
• Detecting anomalous activities through continuous monitoring
• Establishing business continuity policies and disaster recovery plans
• Learning from external events and past incidents to improve resilience

2. ICT-Related Incident Reporting

Entities are required to:

• Implement a process to monitor and log ICT incidents
• Classify incidents using DORA’s criteria and those set by European Supervisory Authorities (ESA)
• Report major incidents to authorities using a standardized format
• Submit initial, interim, and final reports to relevant stakeholders

3. Digital Operational Resilience Testing

• Regular testing of ICT systems to identify weaknesses and vulnerabilities
• Testing requirements tailored to the size, activities, and risk profiles of financial entities
• Threat-led penetration testing (TLPT) for organizations with higher exposure to cyber risks

4. Information Sharing

DORA encourages collaboration among financial entities to:

• Strengthen digital operational resilience
• Improve awareness of ICT risks
• Reduce the spread of cyber threats
• Enhance defensive and detection capabilities
• Share cyber threat intelligence while ensuring confidentiality and security

5. ICT Third-Party Risk Management

• Continuous monitoring of risks from third-party ICT providers
• Standardized contractual requirements, including:
  • Service descriptions and data processing locations
  • Performance targets and service-level agreements
  • Security, accessibility, and data protection measures
  • Audit rights, termination clauses, and exit strategies
• Promotion of standard contractual clauses for cloud services, to be developed by the European Commission

A Unified Approach to Financial Cybersecurity

By harmonizing digital resilience standards across the EU, DORA establishes a clear, enforceable framework for ICT risk management, incident response, and third-party oversight. Financial entities must adapt their ICT and cybersecurity practices to comply with DORA’s requirements ahead of its full implementation in 2025.