Skip to content

Digital Operational Resilience Act (DORA) (EU) 2022/2554

The new EU act to strengthen the cyber resilience of financial sector in the European Union - to what organizations it applies, the requirements and how Rheintec supports you to comply

To what organizations DORA applies

The DORA Act is a comprehensive regulatory framework designed to enhance the digital operational resilience of financial entities across the European Union. Its applicability extends to a wide array of financial institutions, including

  • Banks
  • Insurers & Reinsurers
  • Brokers
  • Payment service providers
  • Electronic money institutions
  • Investment firms
  • Crypto-asset providers
ensuring that all key players within the financial ecosystem are covered. By encompassing such a broad spectrum of entities, the DORA Act aims to create a unified approach to managing ICT risks, thereby fortifying the entire financial sector against potential digital threats.

The reach of the DORA Act is not limited to the entities themselves but also extends to their ICT third-party service providers. This inclusion is crucial, as many financial institutions rely heavily on external partners for critical ICT services. By mandating that these third-party providers adhere to stringent risk management and resilience standards, the DORA Act ensures that the entire supply chain is robust and secure.

 

Requirements of the Digital Operational Resilience Act

  • ICT risk management: Key obligations include cybersecurity governance including asset inventory, implementing certain key documents and processes such as an Information Security Policy and a Business Continuity Plan
  • Third-party ICT risk management: Vendors must undergo due diligence and extensive contracting obligations apply
  • Reporting of major ICT-related incidents: Which incidents need to be reported and the content of reporting must meet specific criteria, detailed in related guidance;
  • Testing of digital operational resilience: Including thread-let penetration testing for entities that are relevant for the stability of the EU financial sector
  • Information and intelligence sharing: Voluntary sharing of cyber threat information and threat intelligence.

 

How Rheintec supports your organization

Rheintec applies an integrated approach when it comes to establishing Information Security Management Systems (ISMS). With our proven track record we provide hands-on consulting services to support & guide you through the process. 

Our goal is to implement the ISMS into your existing business processes therefore increasing adoption of DORA governed practices & controls by your whole organization and employees

 

Roadmap to DORA Compliance

ISO27001 Certification Roadmap-2

DORA Timeline

  • 16 January 2023: DORA regulation comes into force
  • 13 March 2024: Batch I Regulatory Technical Standards (RTS) adopted by EU Commission
  • 17 July 2024: Batch II RTS and Implementing Technical Standards (ITS) submitted to EU Commission
  • 26 July 2024: European Supervisory Authorities (ESAs) finalize RTS
  • 17 January 2025: DORA requirements apply to affected entities & compliance becomes mandatory

 

Helpful links and reads

Digital Operational Resilience Act (EU) 2022/2554 Download
RTS & ITS Download

Uncertain about your current compliance status or the applicability of DORA for your organization?

Schedule a free meeting with one of our consultants to find out and discover how Rheintec can support your business.