Getting Started

Last updated: January 07, 2025

Getting started with the Digital Operational Resilience Act involves developing a comprehensive approach to ICT risk management which aligns with DORA’s requirements. DORA covers policies, procedures, tools, strategies, roles and responsibilities, to managing ICT risk within the financial sector. To begin, financial entities must understand the DORA regulation, especially sections relevant to an organisation's sector and size.

Key Pillars

Overall, DORA comprises nine Chapters, and contains 64 Articles, based on the current text at the time of this writing. In addition, the European Union has introduced regulations supplementing the above regulation. These are:

Regulatory Technical Standards (RTS) and
Implementing Technical Standards (ITS)

DORA contains 5 Key Pillars that provide a structured approach to enhance ICT agility and bolster ICT risk management frameworks for financial entities.

These pillars are:

ICT Risk Management (Chapter II, Article 5-16)
1. Financial institutions are required to implement robust ICT risk management frameworks, and must assess and mitigate risks related to ICT systems and processes, to manage cyber threats and ensure business continuity.
ICT Incident Reporting (Chapter III, Article 17-33)
1. DORA introduces mandatory reporting requirements for ICT related incidents. Financial entities must report, in a timely manner, major incidents to their national authorities.
Digital Operational Resilience Testing (Chapter IV, Article 24-27)
1. Institutions must regularly test the effectiveness of their ICT systems to ensure resilience against disruptions, including stress tests and simulation exercises.
ICT Third Party Risk Management (Chapter V, Article 28-44)
1. Third party ICT Providers must meet the same operational requirements. There must be appropriate monitoring and oversight.
Information Sharing (Chapter VI, Article 45)
1. Fostering information sharing and collaboration within the financial sector.