Find answers to common questions about Digital Operational Resilience Act compliance
What is DORA (Digital Operational Resilience Act)?
DORA is an EU regulation that establishes a comprehensive set of requirements for financial institutions to manage ICT risks, ensure digital operational resilience, and test their readiness for cyber threats. It applies to banks, insurance companies, payment institutions, and other financial service providers across the EU.
When does DORA regulation come into effect?
DORA came into effect on January 17, 2025. Financial institutions are required to be fully compliant from this date. The regulation applies to all regulated financial institutions in the EU, with first assessment periods beginning in Q3 2025.
What are the 5 pillars of DORA?
The 5 pillars of DORA are: (1) Governance and Risk Management Framework, (2) Incident Management, (3) Digital Operational Resilience Testing, (4) Third-Party Risk Management, and (5) Information Sharing.
What is Threat-Led Penetration Testing (TLPT) under DORA?
TLPT is an advanced security testing requirement where financial institutions must hire external testers to conduct realistic cyber attack simulations targeting their critical systems. Large institutions must conduct TLPT annually, medium institutions every 2 years, and smaller institutions every 3 years.
What are the penalties for DORA non-compliance?
Financial institutions failing to comply with DORA can face fines up to 2% of annual worldwide turnover for the most serious breaches, and up to 1% for less serious violations. These penalties are administered by national supervisory authorities.
Does DORA apply to small financial institutions?
Yes, DORA applies to all financial institutions regulated under EU financial services regulations, including small entities. However, smaller institutions may benefit from proportionality principles in implementation, with extended timelines for certain requirements like TLPT.
What is the difference between RTS and ITS in DORA?
RTS (Regulatory Technical Standards) provides framework-level requirements and specifications for DORA compliance, while ITS (Implementing Technical Standards) provides detailed technical specifications and implementation procedures. Both are developed by the EBA and are mandatory.
How does DORA affect cloud services and outsourcing?
DORA requires financial institutions to include specific clauses in cloud and outsourcing contracts, maintain audit rights, ensure data residency compliance, and establish exit procedures. Critical ICT third-party service providers face direct supervision from EU authorities.
What must be included in DORA incident reporting?
Major ICT incidents must be reported to supervisory authorities within 72 hours. Reports must include incident classification, impact assessment, affected systems, financial impact, customer implications, and remediation measures being taken.
How can we prepare for DORA compliance?
Begin by conducting a comprehensive gap analysis against DORA requirements, establish governance structures, inventory critical ICT systems, assess third-party dependencies, implement necessary controls, establish incident management procedures, and conduct testing to ensure readiness.