Preamble 31 to 40, Digital Operational Resilience Act (DORA)

Sep 4, 2024

The European Commission's Digital Operational Resilience Act (DORA) is designed to strengthen the operational resilience of the EU financial sector against cyber threats and ICT-related risks. The following sections outline critical elements of DORA, focusing on enhancing information sharing, promoting collective action, and establishing specific requirements for digital resilience.

Preamble 31 to 40, Digital Operational Resilience Act (DORA)

31 Enhancing Information Sharing

Financial entities are often hesitant to share information with other market participants or non-supervisory authorities like ENISA or Europol. This reluctance results in limited and fragmented information exchanges, primarily conducted through national initiatives. To address this issue, DORA emphasizes the need for consistent, Union-wide information-sharing arrangements tailored to the integrated financial sector’s needs. Such arrangements are crucial for effectively enhancing resilience against ICT risks across the EU.

32 Promoting Collective Action and Information Sharing

DORA encourages financial entities to collaborate and share their knowledge and practical experience at strategic, tactical, and operational levels. By establishing voluntary information-sharing mechanisms at the Union level within trusted environments, the financial community can collectively prevent and respond to cyber threats more swiftly. This collaborative approach is essential for mitigating the spread of ICT risks and preventing potential contagion across financial channels. All such mechanisms must fully comply with Union competition law and data protection regulations, particularly Regulation (EU) 2016/679.

33 Tailoring Digital Operational Resilience to Financial Entities

Given the significant differences in size, business profiles, and exposure to digital risks among financial entities, DORA advocates for a proportionate application of digital operational resilience rules. This means financial entities should allocate resources and capabilities to ICT risk management frameworks that align with their specific needs. Competent authorities will continue to assess and adjust regulatory approaches accordingly to ensure that these frameworks are appropriately tailored.

34 Governance Requirements for Larger Financial Entities

With greater resources and organizational capacity, larger financial entities are expected to establish more complex governance arrangements. These entities should effectively manage relationships with ICT third-party service providers, implement robust crisis management protocols, and adhere to the three lines of defense model in ICT risk management. Additionally, they should conduct in-depth assessments following significant changes to network and information systems, analyze risks associated with legacy ICT systems, and expand testing of business continuity and recovery plans to include scenarios involving primary ICT infrastructure and redundant facilities.

DORA Compliance Framework

35 Targeted Requirements for Advanced Digital Resilience Testing

DORA mandates that only financial entities identified as significant for advanced digital resilience testing perform threat-led penetration tests. The administrative processes and associated costs of these tests should be proportionate, reflecting the scale and complexity of the entities involved. Furthermore, non-micro enterprises are required to regularly report to competent authorities on costs and losses stemming from ICT disruptions and the outcomes of post-incident reviews, easing the regulatory burden on smaller entities.

36 Role of Management Bodies in ICT Risk Management

The management bodies of financial entities play a crucial role in shaping and adapting ICT risk management frameworks and overall digital resilience strategies. Beyond ensuring the resilience of ICT systems, management bodies should foster a culture of cyber risk awareness and adherence to cyber hygiene throughout the organization. This approach emphasizes the management body's ultimate responsibility for overseeing ICT risk management and maintaining continuous engagement in monitoring these efforts.

37 Ensuring Financial Investment in Digital Operational Resilience

Management bodies must allocate sufficient ICT investments and budget to meet the financial entity's digital operational resilience baseline. This financial commitment is essential to support ongoing efforts to enhance ICT systems and resilience capabilities, ensuring the entity remains protected against evolving cyber threats.

38 Compliance with International Standards

DORA draws inspiration from relevant international, national, and industry standards, guidelines, recommendations, and approaches to managing cyber risks. While financial entities are free to adopt ICT risk management models aligned with these standards, they must ensure compliance with specific supervisory instructions on using and incorporating international standards into their frameworks.

DORA Compliance Framework

39 Maintaining Technological Resilience

Financial entities are required to maintain updated ICT systems with sufficient capacity to process the data necessary for service performance, ensuring they can handle additional processing needs under stressed market conditions or adverse situations. While DORA does not mandate the standardization of specific ICT systems, tools, or technologies, it promotes the use of European and internationally recognized technical standards or industry best practices guided by supervisory recommendations.

40 Business Continuity and Recovery Planning

Efficient business continuity and recovery plans are vital for financial entities to address ICT-related incidents, especially cyber-attacks promptly. These plans should include backup systems that can initiate processing without delay, ensuring network and information system integrity, security, and data confidentiality are not compromised.

These preambles highlight DORA's commitment to bolstering the EU financial sector's resilience against ICT risks, fostering collaboration, and ensuring continuity of services in an increasingly digital environment.

DORA Compliance Framework