The Frequently Asked Questions are based on the current published requirements of DORA and will be updated once the final versions are published.

What is DORA?

DORA (Digital Operational Resilience Act) is a single legislative act addressing ICT risk in finance across the European union.

When is DORA due?

DORA was published in Official Journal of the EU in December 2022, and enters into force January 2025.

What are the biggest areas DORA addresses?

The biggest areas are;
1) ICT based risk and internal control framework
2) Incident management and reporting
3) Security testing
4) Resilience or business continuity management
5) Third-party risk management

What companies are effected by DORA?

Most companies within banking and finance are effected by DORA (with the exception of financial infrastructure companies) including banks, insurance companies, FinTechs, crypto asset providers and crowd funding companies. ICT third-party service providers are also included in DORA (to be defined by the EU financial authorities) and have to adhere to DORA.

How vital is the future management of ICT third-party providers?

The management of ICT third-party providers is a fundamental concept to DORA. It includes companies’ ability to have appropriate insight to manage, monitor and measure performance of third-party providers.

What is the difference between DORA and the ICT and security risk management regulations?

There are slight differences between DORA and the ICT regulations currently in force. At large the regulations address the same areas but there are subtle differences and focus areas. The ICT regulations are also broader as they are addressing additional areas such as governance and management of ICT.

Will DORA drive organisational changes?

For companies already organised by the three lines-of-defense model no significant changes are needed. For companies who previously have no regulation forcing a three line-of-defense model, a second-line-of-defense needs to established or outsourced to a professional service provider.

Is DORA the final regulation within information security and outsourcing?

DORA is accompanied with three batches of Regulatory Technical Standards (RTS) to clarify and regulate the banking and finance sector even further. These Technical Standards will be published in July 2023, January 2024 and July 2024 . There are also additional regulations under development within the information security areas, such as the EU Cyber Security Act, the NIS 2 Directive, and additional regulation from the European financial authorities (EBA, EIOPA and ESMA).

Want to find out how Advisense can help you?