The digital operational resilience framework (DORA Framework) consists of:

• Digital Operational Resilience Act (EU 2022/2554): A regulation that sets the framework for digital operational resilience, amending several EU regulations (DORA).
• DORA Amending Directive (EU 2022/2556): Amends various EU directives concerning digital resilience in the financial sector.
• Regulatory & Implementing Technical Standards (RTS & ITS): Developed by the European Supervisory Authorities (ESAs), these standards provide detailed guidelines for ICT risk management.

The DORA Framework applies to a wide range of financial entities, including:

• Banks, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings and insurance, reinsurance, and ancillary intermediaries.
• Entities such as trading venues, trade repositories, central securities depositories, central counterparties, institutions for occupational retirement provision, credit rating agencies.
• Managers of alternative investment funds, management companies, securitisation repositories, administrators of critical benchmarks.
• Crypto-asset service providers, account information service providers, data reporting service providers, ICT third-party service providers, crowdfunding service providers.

The DORA Framework addresses the need for a unified approach to digital resilience across the EU’s financial sector. While the sector has robust regulations for traditional risks, digital resilience had not been consistently addressed. By strengthening oversight of ICT risk, the DORA Framework ensures that financial institutions can withstand digital disruptions and protect market integrity, with ICT risk management becoming as critical as other financial regulatory standards.

ICT risk management

Financial entities must implement a sound ICT risk management framework, internal governance and control framework, to address and mitigate digital risks, ensuring a high level of operational resilience. This includes maintaining up-to-date ICT systems, clear documentation of ICT assets and comprehensive business continuity policies.

ICT-related incidents

Entities must have processes to manage ICT-related incidents, including detection, reporting and root cause analysis. Major incidents must be reported to CySEC for further assessment.

Digital operational resilience testing

Financial entities (excluding microenterprises) must establish, maintain, and review a comprehensive digital operational resilience testing programme. This programme is designed to identify weaknesses, assess preparedness, and implement corrective measures. Advanced testing through Threat-led Penetration Testing (TLPT) is required every three years for entities with significant ICT risks, such as central securities depositories, trading venues and certain large financial firms (excluding microenterprises, small and non-interconnected investment firms, payment institutions exempted under Directive (EU) 2015/2366; institutions exempted under Directive 2013/36/EU, electronic money institutions exempted under Directive 2009/110/EC and small institutions for occupational retirement provision).

Managing ICT third-party risk

DORA requires financial entities to manage risks associated with third-party ICT providers and risk management framework. This includes maintaining full responsibility for compliance with DORA’s provisions, regardless of outsourcing arrangements. Financial entities must assess and manage third-party risks based on the criticality and potential impact on their operations. Additionally, entities are required to keep a register of ICT service contracts and report annually on their ICT third-party relationships.

Information sharing

Financial entities are encouraged to share cyber threat intelligence, including indicators of compromise and cybersecurity alerts, with one another to enhance sector-wide resilience. Participation in these information-sharing arrangements must be reported to the relevant competent authorities.

Oversight of critical third-party providers

The ESAs will designate critical third-party ICT service providers after assessing their systemic importance and appoint a Lead Overseer for each service provider responsible for overseeing these providers, ensuring proper regulatory supervision.

Delegated acts and upcoming developments

In March 2024, the ESAs published several delegated acts covering topics such as oversight fees charged by the Lead Overseer for critical third-party providers, criteria for classifying major ICT incidents and detailed ICT risk management policies. Further updates are expected, particularly regarding the classification of major incidents and simplified ICT frameworks.

Entry into force and application

DORA applies fully from 17 January 2025.

The deadline for transposing the provisions of the DORA Amending Directive into local legislation was also on 17 January 2025. It is relevant to note here that Cyprus, as well as a number of other EU Member States, have yet to publish legislation in this respect.

CySEC’s document summarising the provisions of the DORA Framework can be found here.