Strengthening ICT Resilience To Prepare for DORA Compliance in the Financial Sector

The Digital Operational Resilience Act (DORA) is an EU regulatory framework designed to strengthen the financial sector’s ability to withstand disruptions to ICT (information and communication technology). According to an article by the Barnea Jaffa Lande law firm, organizations that meet DORA compliance will standardize operational resilience across the EU to better manage risks and maintain financial stability.

DORA applies to various financial entities, including credit institutions, payment service providers, insurance companies, and ICT providers like cloud and data analytics firms. Notably, DORA has an extraterritorial reach, affecting non-EU ICT providers if their services are critical to EU-based financial institutions.

The article highlights these key DORA compliance requirements:

1. ICT Risk Management: Financial entities must establish robust frameworks to identify, mitigate, and recover from ICT-related incidents and conduct regular risk assessments.
2. Incident Reporting: Institutions are required to report major ICT incidents to regulators within specific timeframes to enhance transparency.
3. Resilience Testing: Regular testing of ICT systems, including penetration and scenario-based tests, is mandatory, with external validation recommended for larger institutions.
4. Third-Party Risk Management: Contracts with ICT providers must include clauses for resilience monitoring, incident reporting, and exit strategies.
5. Information Sharing: Institutions are encouraged to share intelligence on ICT threats to promote collective sector resilience.

As the January 2025 compliance deadline approaches, companies should review current ICT risk practices, strengthen internal frameworks, prepare for resilience testing, and update third-party contracts to meet DORA’s requirements.