Skip to main content

What is DORA?

On December 14, 2022, the Digital Operational Resilience Act (DORA) was released by the European Parliament with the main goal of unifying and standardizing cyber risk laws and regulations for the financial sector and, of course, strengthening digital resilience against cyber attacks.

View the regulation of the European Parliament >

For whom applicable

This legislation will come into force January 17, 2025 for a wide range of financial entity types in the EU: banks, insurers and, of course, pension funds are within its scope. However, the scope of DORA is much larger because under DORA financial entities are responsible for the ICT risks of third parties (including implementing organizations and supply chain partners such as ICT service providers).

Content of legislation

DORA has 5 major components at the main level (level 1):

    1. ICT risk management;
    2. Reporting of ICT incidents;
    3. Testing digital resilience;
    4. Manage ICT risks with third parties;
    5. Information sharing around cyber threats and vulnerabilities.

Furthermore, DORA consists of the following detailed-level (Level 2) technical standards:

  • Regulatory Technical Standards (RTS), such as, for example, performing Threat-led Penetration testing according to the comprehensive TIBER-EU standards framework. Learn more >
  • Implementing Technical Standards (ITS). The ITS includes detailed templates that must be used to comply with DORA. An important example herein is the "Register of Information." The "ITS Register of Information" specifies in the greatest detail how this register should be constructed. See also the figure below.

Templates in ITS Register of Information

It is important to note here that the final version of the2nd part of the RTS and ITS did not become available until July 2024.

Relationship to DNB Good Practice Information Security.

To prepare for the DORA, DNB released an update to the Information Security Good Practice on December 19, 2023. However, an additional "silent" update to this version indicates the following: "As of Jan. 17, 2025, DORA is the legal framework for operational resilience and thus replaces the current Good Practice Information Security 2023 for the institutions covered by the scope of DORA. You can use Good Practice Information Security 2023 as a guide to prioritize measures that mitigate key risks."

Go to Q&A >

Implementation

As mentioned, the implementation of DORA has far-reaching and far-reaching implications for financial entities (including pension funds) and the expected implementation time for each organization is considerable: all articles together involve hundreds of pages. It is therefore important to start as soon as possible.

 

Learn more about DORA

Are you interested in more information on this topic? Then please contact Anita van der Leeuw, Carlo Bavius or Toine van den Hurk. We are ready to answer your questions and help you further.

Our expert team, with years of experience, is ready to support you and offer personalized advice tailored to your specific situation. We strive to respond to your inquiries as quickly as possible so that you are always helped quickly.

Anita van der Leeuw

Senior Manager of IT Audit & Risk

06-18682946

Carlo Bavius

RO RE CIA CRISC CRMA - Associate Partner

06-40050555

Toine van den Hurk

Senior Manager of IT Audit & Risk

06-41773152