The Digital Operational Resilience Act (DORA), which entered into force on 16 January 2023 and will apply from 17 January 2025, aims to enhance the digital operational resilience of entities across the EU financial sector and to further harmonise key digital operational resilience requirements for all EU financial entities. DORA sets out uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT (Information and Communication Technologies) services to them, such as cloud computing or data analytics services. DORA creates a regulatory framework on digital operational resilience, whereby all financial entities need to make sure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across the EU, with the core aim to prevent and mitigate cyber threats. DORA is complemented with several “regulatory technical standards (‘RTS’)” which give more details on requirements for cyber security.
As the whole DORA legislation cannot be presented in a short timeframe, I will focus on the part that is most important to ensure cybersecurity and the part that is the most interesting one for the audience, the RTS on ICT Risk Management Framework. I will give a quick overview and highlight the topics, which will bring the most workload to the industry. The biggest challenges will be in the areas of Asset Management, Operations Security, Network Security and Encryption.