Skip to content

The Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is the European Union's response to ever-increasing, more sophisticated, and elaborate cyber threats. Effective since January 17, 2025, DORA is reshaping the financial world by setting higher standards for cyber resilience.

Much has been written about DORA’s five pillars: ICT risk management, incident management, resilience testing, third-party risk, and information sharing. While these elements are crucial, there is more to DORA than just these core aspects.

Understanding what it is NOT an ICT service?

The Annex III of the ITS on Register of Information provides an exhaustive list of the ICT services covered under DORA. However, it lacks clarity on what should not be considered an ICT service. In today’s digital landscape, financial services are inherently intertwined with ICT. But does that mean every financial service is an ICT service? Since financial entities are already regulated and required to comply with DORA, adding another layer of ICT service classification could increase the compliance burden without significantly improving sector-wide resilience.

Fortunately, EIOPA addressed this concern in a Q&A (2999 - DORA030), effectively excluding ICT services provided as part of a financial service:

Financial services may entail an ICT component. In the case that financial entities provide ICT services to other financial entities in connection to their financial services, the receiving financial entities should assess whether i) the services constitute an ICT service under DORA, and ii) whether the providing financial entities and the financial services they provide are regulated under Union law or any national legislation of a Member State or of a third country. In case both tests are positive, then the related ICT service should be considered to predominantly be a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21).

Principle of proportionality

Establishing a well-documented and justified proportionality approach is foundational to implementing DORA’s five pillars. This requires understanding, among others:

  • The entity’s size
  • Its risk profile
  • The nature and complexity of its licensed activities

Not every entity operates at the scale of JPMorgan or Deutsche Bank. Organizations should leverage proportionality to define a pragmatic and effective approach to resilience.

Failing to articulate this approach may have negative consequences. Without it, an entity could inadvertently set itself up to meet the strictest cyber resilience requirements, even if they don’t align with its actual risk profile. If those measures fit your business, great! If not, take the time to establish a more suitable, risk-based strategy.

Understanding the supply chain

Another key decision is determining how far to investigate the supply chain. Analyzing the entire supply chain is impractical and would impose a heavy compliance burden. At some point, the risk impact diminishes, making further scrutiny inefficient.

Guidance from the Q&A on Registers of Information sheds light on the expected depth of analysis:

a) all direct ICT third-party service providers;

b) all ICT intragroup service providers;

c) for the ICT services supporting a critical or important function or material part thereof, all subcontractors that effectively underpin the provision of those ICT services (i.e. all the subcontractors providing ICT services whose disruption would impair the security or the continuity of the service provision);

d) where an ICT intragroup service provider uses subcontractors to provide their ICT services to the financial entity, at least the first extra-group subcontractor even if the ICT services provided do not support a critical or important function or material parts thereof.

The proportionality principle can again be leveraged to define an efficient and justified strategy for tackling these requirements. A balanced approach is key to meeting compliance obligations without unnecessary overhead.

Closing thoughts

The clarification on the status of financial entities has been crucial in reducing the regulatory burden while maintaining the core objectives of DORA. Although the announcement came late in the process, its outcome was undoubtedly welcomed by the industry.

Additionally, the principle of proportionality remains a cornerstone of DORA, enabling financial entities to tailor their resilience strategies. This ensures that firms can implement measures that are both robust and adaptable, allowing them to withstand cyber threats without unnecessary complexity or excessive costs.