DORA Header Banner

The Complete Guide to the Digital Operational Resilience Act (DORA)

In this e-guide, we cover the purpose, scope and key requirements of DORA, how it will impact your organisation, and what you can do to prepare.

Download E-guide

What is DORA?

The Digital Operational Resilience Act (DORA) is an upcoming piece of legislation set out by the EU for the financial services industry, designed to strengthen the sector’s cyber resilience and risk management. It creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. DORA establishes technical standards that financial entities and their critical third-party technology service providers must implement in their ICT systems by January 17, 2025.

Who Must Comply With DORA?

DORA applies to financial entities, as well as every organisation that provides IT services to them. In all, DORA will apply to more than 22,000 financial and ICT service operators functioning within the EU, as well as the ICT infrastructure supporting them from outside the EU. Critical third-country (outside the EU, e.g. UK and USA) ICT service providers to financial entities in the EU will also be required to establish a subsidiary within the EU to facilitate effective regulatory oversight.

How Do I Start Preparing For DORA?

With the act approved, the EU and ESAs have foreseen a period of two years (2023-2024) for companies to prepare for and implement DORA. This period will see ESAs further defining the needed regulatory technical standards (RTSs)

and making requirements more concrete. Organisations should align their governance and practices to DORA’s resilience pillars and identify a roadmap with key deliverables to materialise their digital resilience strategy.

Organisations can do this through an initial gap assessment, starting with an analysis of the company profile. The gap assessment will also define the current level of maturity, including the compliance with existing guidelines (most common references include ESA Guidelines, NIS, CROE, etc.) and with existing IT risk management strategy and standards (such as ITIL, COBIT, NIST CSF, ISO, etc.). This will help identify a delta in DORA requirements and lay out a roadmap analysing the priorities and efforts needed to constitute a sound digital resilience strategy and framework.

In this guide, we also answer:

  • What is the purpose and scope of DORA?
  • How will DORA be enforced?
  • - What are the the five pillars of DORA?
  • - What are the key requirements of DORA?

Dora E Guide


Author

Chris Linnell

Data Privacy Principal Consultant

Linkedin

Download Whitepaper