DORA

The Digital Operational Resilience Act (DORA) is a risk assessment framework for data and operational resilience with a particular focus on cyberattacks. By 2025, the rules and guidance will be enforceable with financial penalties if compliance cannot be proven.

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) solves an important problem in the EU financial regulation. Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience. After DORA, they must also follow rules for the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is “adequate” capital for the traditional risk categories.