Meet DORA requirements for digital resilience in the financial sector

Frågor och svar

What is DORA and when did it come into force?

DORA (Digital Operational Resilience Act) is an EU regulation that came into force on January 17, 2025. The regulation aims to strengthen financial companies' and their critical ICT service providers' ability to have robust systems and processes to withstand, manage, and recover from ICT-related disruptions and cyber threats. DORA covers five main areas: ICT risk management, incident management and reporting, digital operational resilience testing, management of third-party ICT risks, and information sharing on cyber threats.

Which financial companies are covered by DORA?

DORA covers a broad category of financial companies within the EU, including credit institutions and banks, payment institutions and e-money institutions, securities firms and trading venues, insurance companies and insurance intermediaries, fund managers and UCITS funds, pension funds and pension institutions, credit rating agencies, and crypto-asset companies. Critical third-party ICT providers that provide services to the financial sector are also subject to direct supervision. Unlike many other regulations, there are no size exemptions - even small companies must work according to DORA requirements, though with a proportionality principle.

What is the difference between DORA and NIS2?

DORA and NIS2 (the Cybersecurity Act) are both EU regulations focusing on cybersecurity, but have different orientations. DORA is specifically designed for the financial sector with very detailed requirements for ICT risk management, strict rules for managing critical ICT providers with direct EU supervision, mandatory stress tests and resilience exercises, and specific reporting requirements for ICT incidents. NIS2 has broader application across several critical sectors with more general cybersecurity requirements and national supervision. Financial companies may need to follow both DORA and NIS2 depending on operations, but DORA takes precedence for financial services.

What is required for ICT risk management according to DORA?

DORA's requirements for ICT risk management are comprehensive and systematic. Companies must implement and document ICT risk management frameworks with policies approved by the board, identify and classify all ICT assets and dependencies, conduct regular risk assessments of ICT systems and data, implement appropriate security measures based on risk assessments, and establish continuity and recovery capability through backup and restoration plans. Requirements also include continuous monitoring and logging of ICT systems, and regular updates of the risk management framework. All work should be documented and verifiable during supervision.

What requirements does DORA impose on managing ICT providers?

DORA introduces very strict requirements for managing third-party ICT providers. Companies must maintain a complete register of all ICT providers, identify and classify critical ICT providers, and verify that agreements contain specific security clauses including audit rights, exit strategies, and incident reporting. Continuous monitoring of providers' performance and security is required, as well as documented exit strategies for critical providers. Particularly important is that critical ICT providers can come under direct supervision by EU authorities. Companies must be able to demonstrate that they have control over their supplier risks through systematic documentation.

What does DORA's incident reporting requirement entail?

DORA imposes clear and strict requirements for reporting ICT-related incidents. For major ICT incidents, companies must provide initial notification to their supervisory authority within 4 hours of discovering the incident, followed by an incident report within 72 hours with more detailed information. An intermediate report is required when the incident status changes significantly or at the latest one month after initial notification, and finally a final report no later than one month after the incident is resolved. Reports must contain specific information about the incident's nature, impact, actions taken, and root causes. Even less significant incidents should be reported annually.

What is digital operational resilience testing according to DORA?

DORA requires financial companies to regularly test their digital resilience through different types of tests. This includes annual basic testing of ICT systems and security measures, vulnerability assessments and scanning, scenario-based tests for different types of cyber threats, and recovery tests for critical functions. Larger companies must at least every three years conduct advanced threat-led penetration testing (TLPT) - simulated cyber attacks conducted by external experts according to the EU framework. All tests should be comprehensively documented and the results should be used to improve security and resilience.

How can ChainSec help us with DORA compliance?

ChainSec offers a specialized platform that covers several critical aspects of DORA compliance. With our system, you can create and maintain a central register of all ICT providers with classification of critical providers, conduct systematic security assessments of providers with DORA-adapted question forms, document and follow up on ICT risks and vulnerabilities in the supply chain, implement structured monitoring of provider performance and security, and generate reports for supervisory authorities showing regulatory compliance. Our solution simplifies work with DORA's comprehensive requirements for third-party risk management and helps you build the documentation required to show full control over your ICT provider risks.

What penalties can we face for inadequate DORA compliance?

DORA introduces significant administrative penalties for inadequate compliance. Supervisory authorities can issue fines of up to 10 million euros or 5% of the company's total annual turnover globally (depending on which is higher) for serious violations. For management members, fines can amount to 1 million euros or 5% of their annual salary. In addition to financial penalties, supervisory authorities can take other measures such as requiring the violation to cease, publicly disclose violations, temporarily prohibit management personnel from exercising their functions, or in serious cases revoke operating licenses. It is therefore critical to have systematic processes and documentation in place to demonstrate compliance.

How does DORA relate to other financial regulations?

DORA complements and harmonizes existing EU regulations for the financial sector by replacing fragmented national ICT risk rules with uniform EU requirements. DORA interacts with regulations such as PSD2 for payment security, MiFID II for securities firms, Solvency II for insurance, and CRR/CRD for banks. By creating a common standard for digital resilience, DORA avoids overlapping and contradictory national requirements. Companies must integrate DORA compliance with their existing compliance structure, but the advantage is that the regulation creates clarity and uniformity throughout the EU. DORA's requirements also complement GDPR's data protection requirements by focusing specifically on operational resilience.