The Digital Operational Resilience Act (DORA) — officially known as Regulation (EU) 2022/2554 — is a regulatory framework designed to enhance the digital resilience of financial entities within the European Union (EU).
This regulation aims to mitigate risks associated with information and communication technology (ICT), ensuring financial institutions can withstand, respond to, and recover from disruptions and threats. Achieving DORA compliance requires EU financial entities to implement ICT risk management, report significant incidents, conduct resilience testing, and oversee ICT third-party service providers effectively.
Why DORA was developed
Challenges of today’s IT systems and applications include fragmented digital ecosystems, lack of visibility into third-party risks, and effective integration of risk management into existing processes. DORA's primary goal is to establish high digital operational resilience across the EU's financial sector. This involves setting uniform security requirements for networks and information systems that support financial entities' business processes.
DORA aims to accomplish the following goals:
1. Protect the financial system: Prevent ICT incidents from destabilizing the financial system.
2. Enhance incident response: Strengthen detection, containment, recovery, and repair capabilities following ICT-related incidents.
3. Standardize practices: Implement consistent standards for ICT risk management, incident reporting, and resilience testing across all member states.
How DORA compliance works
DORA lays out five pillars of specific requirements that financial entities must follow to achieve compliance. These guidelines address risk and resilience challenges of complex digital ecosystems.
The five pillars of DORA address the following:
ICT risk management
Effective ICT risk management is the cornerstone of DORA compliance. Financial entities must establish comprehensive frameworks to identify, assess, and mitigate ICT risks. This includes regularly assessing risks, implementing security controls, and continuously monitoring ICT systems to ultimately help ensure business continuity and data integrity.
ICT incident management
Prompt and detailed incident reporting is critical for maintaining operational resilience. DORA mandates that financial entities report significant ICT-related incidents to competent authorities. They must provide information on the nature of the incident, its impact on operations, and the response measures taken.
Digital operational resilience testing
DORA mandates regular testing of digital operational resilience to ensure financial entities are prepared for potential ICT disruptions. Required testing includes conducting threat-led penetration tests — which simulate real-world cyberattacks — to evaluate the effectiveness of ICT risk management frameworks and incident response capabilities.
Third-party risk management
Financial entities must manage risks associated with ICT third-party service providers. They must ensure third-party providers adhere to similar ICT risk management and resilience standards, conducting due diligence and risk assessments on subcontracting arrangements.
Oversight and cooperation
DORA establishes an oversight framework for critical ICT third-party service providers, ensuring they're subject to regulatory scrutiny. Additionally, the regulation promotes cooperation among competent authorities to enhance supervision and enforcement efforts.
Benefits of DORA compliance
Adhering to DORA compliance offers financial entities several benefits, including the following:
Enhanced security
Robust ICT risk management practices safeguards systems and data from cyber threats and operational disruptions.
Improved incident response
Standardized incident reporting and resilience testing facilitate quick detection, response, and recovery, minimizing downtime and financial losses.
Regulatory alignment
Uniform requirements across the EU reduce regulatory complexity and compliance costs, particularly for multi-state operations.
Increased confidence
Consistent ICT risk management enhances trust in the financial system's stability and resilience in the face of digital threats.
Additional components of DORA compliance
Relationship with NIS2 Directive
The Network and Information Security (NIS2) Directive complements DORA by setting broader cybersecurity requirements across sectors. DORA is considered a regulation for the financial sector, with its provisions taking precedence over those of the NIS2 Directive for financial entities.
This alignment ensures financial entities have clear and consistent cybersecurity and operational resilience requirements.
Steps for implementation
Organizations can take three steps to enhance digital operational resilience:
1. Understand DORA compliance
Conduct workshops, training, and impact assessments to understand DORA's complexities.
2. Develop a road map
Create a plan outlining areas that are subject to DORA compliance assessment. Research solutions and practices that can help your team simplify complex risk assessment.
3. Conduct risk assessment
Conduct compliance assessments and identify compliance risks that need to be addressed. Leverage solutions that can automate as much manual work as possible for your team to increase the coverage and precision of the assessment. Prioritize and remediate compliance gaps.
4. Continuously enforce compliance measures
Implement strategic and operational measures to enhance resilience and ensure compliance on a continuous basis.
Future developments
The European Supervisory Authorities are responsible for developing regulatory technical standards and implementing technical standards to support DORA compliance. These standards provide detailed guidelines on incident reporting, resilience testing, and third-party risk management. As the regulatory landscape evolves, financial entities must stay informed about updates and adjustments to these standards.
Partnering with Dynatrace for DORA compliance
DORA compliance is essential for financial entities operating within the EU, ensuring they can withstand, respond to, and recover from ICT-related disruptions and threats. By implementing robust ICT risk management practices, incident reporting mechanisms, resilience testing, and third-party risk management frameworks, financial entities can enhance their operational resilience and contribute to the financial system's stability. As the digital landscape continues to evolve, DORA adherence will be crucial for maintaining the security and integrity of the EU's financial sector.
Dynatrace is actively preparing for DORA requirements to assist European financial institutions. With its AI-driven observability and security platform, Dynatrace can help organizations navigate ICT and cybersecurity risks, ensuring business continuity and compliance assessment of DORA.
The Dynatrace platform includes security and observability capabilities to help organizations enhance operational resilience. From automated business impact analysis to early warning indicators and continuous resilience testing, the Dynatrace platform bolsters ICT risk management and assists with reporting to keep organizations secure and compliant.
For more information on how Dynatrace is preparing to help its partners achieve DORA compliance, explore its journey toward DORA compliance.
Keep reading
BlogTaming DORA compliance with AI, observability, and security
Use continuous security posture management to keep systems compliant.
InfographicFinancial services institutions are under pressure to overcome the complexity of their cloud-native technology stacks to increase customer lifetime value (CLV) and stay ahead of digital-first banks.
2024 CISO ReportThe state of application security in 2024
