The Digital Operational Resilience Act (DORA) is a new regulation that was put into effect in the European Union in January 2023 and will apply from January 17, 2025. Its goal is to regulate the use of information and communication technology (ICT) and digital operational resilience in the financial sector. DORA applies to various financial institutions, including banks, insurance companies, and investment firms, as well as to service providers that offer critical ICT services to these entities.
One of the main objectives of DORA is to ensure that the boards of directors of financial institutions take an active role in guiding and adapting the overall strategy for ICT risk management and operational resilience. This means that the board is ultimately responsible for the ICT risk management of the entity. To meet this responsibility, boards must define, oversee, and be accountable for the implementation of all arrangements relating to the ICT risk management framework. DORA sets out specific minimum requirements for risk management frameworks, including strategies, policies, procedures, protocols, and tools necessary to protect all ICT assets and infrastructures against ICT risks. Financial institutions must establish a strategy for the risks associated with the use of third-party ICT services and regularly review the risks associated with contractual arrangements for the use of these services.
Under DORA, board members of financial institutions must maintain sufficient knowledge and skills to understand and assess the ICT risk of the institution. Failure to comply with these obligations may result in administrative sanctions for board members at the individual level. Therefore, financial institutions must assess their ICT risks and practices, including those of their ICT service providers, in good time to meet the requirements of DORA and avoid any potential administrative sanctions. By doing so, they can also improve their ICT risk management and operational resilience, which can help them better protect their assets and avoid costly disruptions to their business.
Overall, DORA creates a comprehensive framework for managing the risks associated with digitalization in financial institutions. It includes new requirements regarding cybersecurity and operational resilience and imposes new obligations on the boards of directors of financial institutions. National authorities have the power to impose administrative sanctions and remedies in the event of non-compliance, which may be directed at board members of financial institutions and other responsible individuals.