Digital Operational Resilience Act

DORA requires financial services organisations to establish an appropriate information and communications technology (ICT) risk management framework that includes the identification, assessment, monitoring, reporting and mitigation of ICT risks. The framework should be tailored to the nature, scale, complexity and risk profile of the business and include clear allocation of responsibilities, appropriate resource allocation, effective governance and monitoring, and regular review and updating.

Financial services organisations must also take appropriate security measures to ensure the availability, integrity, confidentiality and authenticity of their ICT systems. This includes applying industry standards, conducting penetration tests and vulnerability assessments, implementing incident response plans and ensuring data recovery capabilities.

In the Incident Management section, DORA describes how financial services organisations should handle, classify and report ICT incidents. ICT incidents are events that lead or could lead to an impairment or interruption of ICT services, systems or networks or that jeopardise the confidentiality, integrity or availability of ICT assets.

Financial services organisations must establish an internal reporting chain for ICT incidents that includes appropriate escalation procedures, notification mechanisms and roles and responsibilities. They must also have a process for determining the severity of ICT incidents based on the impact on business continuity, customers, financial stability and reputation. Furthermore, serious ICT incidents must be reported immediately to the competent authorities. This should help to facilitate the joint monitoring, assessment and analysis of ICT incidents at national and EU level and promote cooperation between the various supervisory authorities.

A central topic of the DORA is the testing of digital operational resilience. This involves regularly testing and reviewing the effectiveness of ICT security measures and procedures. To this end, internal or external tests must be carried out based on a series of scenarios that reflect the threats and vulnerabilities of ICT systems and networks. The tests are designed to assess the ability of financial services organisations to detect, prevent, mitigate and remediate ICT incidents and disruptions.

DORA places a particular focus on TLPT when testing digital operational resilience. This stands for Threat-Led Penetration Testing, a method for assessing the ICT security of financial services companies. It simulates realistic threat scenarios based on the actors, targets, tactics and techniques observed in current attacks. TLPT is designed to identify weaknesses and gaps in defence mechanisms and provide recommendations for improving digital operational resilience. The scope and frequency of a TLPT are determined by the responsible supervisory authority.

DORA requires financial services organisations to monitor and manage their ICT risks, particularly those arising from reliance on third parties. Third-party ICT risks are risks arising from the use of or reliance on ICT services, systems or networks provided by external providers. A risk-based approach should be taken to identify, assess and mitigate ICT third-party risks, taking into account the nature, scope and complexity of the business activity and the potential impact on financial stability. For example, appropriate due diligence procedures must be carried out prior to a contractual agreement with a third-party ICT service provider and regularly monitored afterwards. It must also be ensured that appropriate control and contingency mechanisms are in place to guarantee the continuity and quality of ICT services and to respond to any disruptions or failures.

The "Register of Information", which represents an overarching inventory for ICT third-party service providers and requires, among other things, the documentation of the associated value chains, especially for services that support critical or important functions, is also a key aspect of managing the risks associated with ICT third-party providers.