On 16 January 2023, the Digital Operational Resilience Act (DORA) entered into force. The EU regulation will apply as of 17 January 2025, with the overall objective to strengthen IT security within the financial sector, including all traditionally regulated financial entities as well as third-party suppliers to such entities. DORA is a complex regulatory framework and serves a vital role in ensuring digital resilience in the financial sector.
Objective of the DORA Regulation
The aim of DORA is to increase operational resilience and cybersecurity by establishing binding rules for ICT risk management, incident reporting, resilience testing and third-party risk management (TPRM). DORA also enables financial service supervisors to oversee Cloud Service Providers (CSPs) and other Critical ICT Third Party Providers (CTPPs). Furthermore, the regulation includes specific requirements on the content of agreements with third party providers.
Regulatory Technical Standards
To supplement and specify the rules under DORA, the European Supervisory Authorities (European Banking Authority, European Securities and Markets Authority and European Insurance and Occupational Pensions Authority) will develop regulatory technical standards (RTS). The technical standards complement the regulation, outlining the requirements under the articles in DORA in more detail, and have been published in two batches. The first set was published on 17 January 2024. This batch include technical standards on ICT risk management, classification of ICT-related incidents, specification of the policy on ICT services supporting critical or important functions provided by ICT third-party service providers and establishment of templates for the register of information. The second batch of technical standards was published on 17 July 2024, together with two sets of guidelines. This set of rules included standards for reporting major ICT-related incidents and significant cyber threats. Technical standards on subcontracting ICT services supporting critical or important functions, as part of the second batch, were subsequently published on 26 July 2024.
Challenges and Benefits
We see both challenges and benefits with the implementation of DORA and its technical standards. In terms of challenges, DORA introduces a comprehensive framework for managing IT risks within the financial sector. The complexity can make it difficult to implement all the requirements, especially the requirements provided in the RTS, which is why it is particularly important to keep up to date with the regulatory framework. Furthermore, DORA increases the reporting burden by requiring companies to report incidents and risks in a standardised way. The regulation also requires certain monitoring and management of risks associated with third-party providers.
While the implementation of DORA poses some challenges, the regulation also comes with benefits. Strengthening the digital security within the financial sector is essential for the well-being of the financial market. The regulatory framework promotes standardised reporting and risk management, increasing opportunities for digital operational resilience. By introducing strict requirements for risk assessments and incident management, companies can develop better systems to deal with digital threats and risks. Furthermore, DORA can help increase the trust of costumers and investors by ensuring higher levels of digital resilience. By contributing to a secure digital environment, DORA can foster innovation in the financial sector, which can lead to new services and growth opportunities.

Summary
In conclusion, DORA will present challenges for the financial sector. Navigating the complex regulatory environment will require careful consideration and planning. At the same time, the financial market is increasingly dependent on technology and on tech companies to deliver financial services. DORA will therefore play an important role in IT security in the financial sector.