DORA

The Digital Operational Resilience Act (DORA).

On December 14, 2022, the European Parliament adopted the Digital Operational Resilience Act (DORA). This regulation marks a turning point in European legislation for the financial sector. Whereas previously cyber risks were largely regulated nationally and often piecemeal, DORA introduces a uniform and legally binding framework.

The goal is clear: financial institutions within the EU must be demonstrably resilient against cyber threats, operational disruptions and technological failures. The emphasis is no longer on compliance with directives, but on structurally strengthening digital resilience and managing ICT risks, both within their own organization and within the chain.

View the regulation of the European Parliament >

Applicable to whom?

The legislation applies to a wide range of financial entities:

• Banks.
• Insurers.
• Pension funds.
• Investment Institutions.
• Payment service providers.
• Insurance intermediaries.
• Central counterparties.
• (I)CSDs and other critical market participants.

In addition, the scope explicitly extends to third parties, including IT service providers, cloud providers, chain partners and shared service centers. Institutions themselves remain responsible for managing outsourced IT risks.

DORA compliance thus requires integrated supply chain management, clear governance and demonstrable control. ARC People supports with specialized consultants in designing and implementing these control measures.

Content of legislation

DORA consists of five main components:

1. ICT risk management
   Embed ICT risks within the broad risk management framework, including governance, policy and continuous monitoring.
2. Incident Reporting
   Mandatory reporting of significant ICT incidents, including root cause analysis, timelines and remedial actions.
3. Digital resilience testing.
   Regular and structured testing procedures, including threat-led penetration testing in accordance with the TIBER-EU framework.
4. Risk management with third parties
   Transparency on outsourcing, including risk assessments, contractual agreements, exit strategies and performance monitoring.
5. Cyber threat information sharing.
   Structured sharing of threat information with relevant parties in the ecosystem, with safeguards for confidentiality and proportionality.

Furthermore, the regulations consist of the following technical standards at the detail level (Level 2):

• Regulatory Technical Standards (RTS), such as, for example, performing Threat-led Penetration testing according to the comprehensive TIBER-EU standards framework. Learn more >
• Implementing Technical Standards (ITS). The ITS include detailed templates that must be used to comply. An important example herein is the "Register of Information." The "ITS Register of Information" indicates in the greatest detail how this register should be constructed. See also the figure below.

Templates in ITS Register of Information

It is important to note here that the final version of the^2nd part of the RTS and ITS did not become available until July 2024.

Relationship to DNB Good Practice Information Security.

To support financial institutions in preparation, DNB published an updated version of the Information Security Good Practice on December 19, 2023. This update provides a bridge between the existing national framework and the newer European regulations.

An additional silent update to this version then reports:

"As of Jan. 17, 2025, DORA is the legal framework for operational resilience and thus replaces the current Good Practice Information Security 2023 for institutions covered by DORA. You can use Good Practice Information Security 2023 as a guide to prioritize measures that mitigate key risks."

In practice, this means that the Good Practice retains its value as a practical guide, but institutions must legally and substantively focus on DORA as the new review framework. ARC People advises institutions on how to carefully bridge this transition. We do this with an eye for proportionality, feasibility and the expectations of supervisors.

Go to Q&A >

ARC People's role: consulting, audit and implementation

DORA requires more than compliance. It requires structure, governance and consistency. ARC People's consultants guide institutions in translating regulatory requirements into an applicable and sustainable framework. Our efforts focus on such areas as:

• Quick scans and maturity assessments.
• Development of an integrated DORA roadmap and its project implementation.
• Audit preparation support.
• Setting up reporting chains and accountability structures.
• Consulting on supply chain management and functional design of the Register of Information.

As a specialized partner, we bring together in-depth subject matter knowledge with experience at the intersection of risk, compliance and audit. We know the expectations of regulators and translate them into the reality of your organization.