Digital Operational Recilliance Act (DORA)
DORA (Digital Operational Resilience Act) is an EU regulation aimed at strengthening the digital operational resilience of the financial sector.
The regulation entered into force in the EU on January 16, 2023, and will become legally binding from January 17, 2025. In Norway, Finanstilsynet expects DORA to be incorporated into national law without significant delays, likely through the "Act on Digital Operational Resilience in the Financial Sector."
DORA applies to all financial institutions and their critical ICT providers, but its requirements follow the principle of proportionality. This means that the scope and complexity of the obligations will depend on the size, complexity, and risk exposure of each organization.
The regulation imposes detailed requirements on processes and measures related to ICT risk management, incident handling, digital resilience testing, and third-party risk management, all of which must be implemented to ensure compliance.
Governance and Control of ICT Risk
Financial entities must establish an internal governance and control framework that ensures the effective and prudent management of ICT risk. Senior management is responsible for the risk framework, and ICT risk must be integrated with the organization's overall risk management framework.
The risk framework must be clearly documented in policies, with defined roles and responsibilities. It should be reviewed at least annually or following incidents, test results, or supervisory instructions.
All systems must be up-to-date and technologically resilient. IT assets, vendors, and critical business processes must be identified, registered, and linked to the risk framework.
Once these elements are in place, the organization must allocate sufficient capacity to monitor user activity, detect anomalies, and respond to incidents, particularly cyberattacks. In the event of an incident, contingency plans must be easily accessible and promptly executed. All actions taken must be documented, key learnings identified, and used as a basis for further training.
Managing ICT-Related Incidents
Financial institutions must define, establish, and implement a structured process for managing ICT-related incidents to ensure effective detection, response, and notification of such events.
All incidents and significant cybersecurity threats must be logged, and appropriate procedures and processes must be in place to ensure consistent and integrated monitoring, handling, and follow-up. The root causes of incidents must be identified, documented, and addressed to prevent recurrence.
Clear roles and responsibilities must be established to ensure effective communication internally, externally, and with senior management and the board.
.jpeg)
Testing digital operational resilience
.jpeg)
Financial entities must establish, maintain, and evaluate a robust and comprehensive testing program for digital operational resilience as an integral part of their ICT risk management framework. The purpose of this program is to assess incident preparedness, identify weaknesses, deficiencies, and gaps in digital resilience, and enable rapid corrective actions.
Testing must be risk-based and conducted in accordance with DORA’s proportionality principle.
The testing program should include a range of appropriate assessments, such as vulnerability assessments and scans, open-source analysis, network security evaluations, gap analyses, physical security reviews, questionnaires, scanning tools, source code reviews (where applicable), scenario testing, compatibility testing, performance testing, end-to-end testing, and penetration testing.
Testing may be conducted internally, provided independence requirements are met. However, at least every third test must be performed by an external party.
Managing Third-Party ICT Risk
Financial entities must integrate third-party ICT risk management into their overall ICT risk framework, ensuring that risks associated with external vendors are effectively controlled. The strategy for managing third-party risk must be documented and approved by senior management.
Third-party risk assessments must be conducted regularly and in accordance with the principle of proportionality. This means that the scope, complexity, and criticality of each vendor relationship must be evaluated to determine whether they support critical or important functions for the organization.
Before entering into an agreement with a vendor, organizations must assess whether the vendor supports critical or important functions and ensure compliance with regulatory requirements. Additionally, a risk assessment and due diligence must be conducted, including an evaluation of potential conflicts of interest.
The organization must also ensure that regular audits and supervision of the vendor can be conducted and that exit strategies are in place should unacceptable breaches occur.
.jpeg)
Information sharing
.jpeg)
Financial entities may exchange cyber threat intelligence and information, including indicators of compromise, tactics, techniques, procedures, cybersecurity alerts, and configuration tools, provided that such information sharing is aimed at enhancing digital operational resilience. This exchange must take place within trusted communities of financial entities or through information-sharing arrangements that safeguard the potentially sensitive nature of the shared data.
If an entity participates in such information-sharing arrangements, regulatory authorities must be notified when the entity joins. Additionally, supervisory authorities must be informed if the entity terminates its membership.