DORA Regulation

Last updated: January 07, 2025

The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation intended to strengthen the Information and Communications Technology (ICT) of the financial sector.

Summary

In 2020 the European Commission introduced a set of regulatory proposals to support digital innovation and modernise the European Union’s (EU) financial sector. The Digital Finance Package (DFP) strives to position the EU as a leader in digital finance innovation, while protecting customers and safeguarding financial stability. The DFP includes four main components:

  1. Regulation on Markets in Crypto-Assets (MiCA) - The goal of MiCA is to establish a regulatory framework for crypto-assets and related services.

  2. Digital Operational Resilience Act (DORA) - The goal of DORA is to ensure that financial institutions and service providers within the EU can withstand, respond, and recover from operational threats and disruptions.

  3. Pilot Regime for Distributed Ledger Technology (DLT) - The goal of DLT is to create a temporary framework for financial institutions to experiment with blockchain and other DLTs to evaluate risks.

  4. Retail Payments Strategy (RPS) - The goal of RPS is to support the development of efficient payment solutions for the EU.

The focus of this Cyber Exposure Study is on DORA. The regulation, which will come into force on 17th January 2025, imposes obligations on financial entities, but also on their digital service providers, which must review their procedures, contracts, mechanisms and tools on a regular basis to ensure information systems security. DORA was originally adopted in 2022. DORA ensures that financial institutions can withstand, respond, and recover from all types of ICT related disruptions, thereby enhancing the operational resilience of all financial systems across the EU. The Digital Operational Resilience Act (DORA) is a European Union (EU) regulation intended to strengthen the Information and Communications Technology (ICT) of the financial sector.

Scope

DORA applies to a wide range of financial entities including (See DORA Article 2 for a complete list):

  • Banks

  • Payment Services Provider

  • Investment Firms

  • Insurance Companies

  • and other financial market infrastructures.

  • ICT Service providers such as Cloud Providers, Data Centers, and Software Providers who support financial institutions are also included.

  • HOWEVER, DORA does not apply to all financial institutions, as DORA does not apply to

    • Small enterprises, that employs 10 or more persons, but fewer than 50 persons, and have an annual turnover and/or annual balance sheet total that exceeds EUR 2 million, but do not exceed EUR 10 million;

    • medium-sized enterprises, that employ fewer than 250 persons and have an annual turnover that does not exceed EUR 50 million and/or an annual balance sheet that does not exceed EUR 43 million;

    • or

    • microenterprises, which employs fewer than 10 people and have an annual turnover and/or annual balance sheet total that do not exceed EUR 2 million

DORA represents the first attempt to streamline ICT risk management in the financial sector in the EU. Other EU legislation such as the General Data Protection Regulation (GDPR), and the Network and Information Systems Directive (NIS) is principle based. Rather, DORA contains detailed lists of requirements including additional documents called Regulatory Technical Standards (RTS). Where DORA differs from the NIS/NIS2 is the sectors that are applicable. NIS applies to the critical infrastructure sectors and DORA applies only to financial sectors and is critical for third-party ICT providers. Any overlap between the two are addressed via a lex specialis exemption, meaning that in case of conflict, DORA applies first.

Notes related to Requirement 3: This requirement is related to the controls around account data that is printed or stored in any form. Account data is both cardholder data and sensitive authentication data. While this requirement is not supported by Tenable directly, the recommended practice here is to keep storage of account data to a minimum. Do not store sensitive authentication data (SAD) after authorization. Restrict the display of the full primary account number (PAN) and cardholder data. And secure the PAN, account data, and any cryptographic keys used to protect the data when they are stored.