Digital Operational Resilienec Act (DORA)

; Verordnung (EU) 2022/2554
Titel:	Verordnung (EU) 2022/2554 des Europäischen Parlaments und des Rates vom 14. Dezember 2022 über die digitale operationale Resilienz im Finanzsektor und zur Änderung der Verordnungen (EG) Nr. 1060/2009, (EU) Nr. 648/2012, (EU) Nr. 600/2014, (EU) Nr. 909/2014 und (EU) 2016/1011
Kurztitel:	Digital Operational Resilienec Act
Bezeichnung:; (nicht amtlich)	DORA
Geltungsbereich:	EWR
Rechtsmaterie:	Binnenmarkt, Cybersicherheit
Grundlage:	AEUV, insbesondere Art. 114
Volltext	Konsolidierte Fassung (nicht amtlich); Grundfassung
Hinweis zur geltenden Fassung von Rechtsakten der Europäischen Union

Summary

Introduction

The DORA Regulation (Digital Operational Resilience Act) is a comprehensive regulation on digital resilience, specifically developed for the financial sector of the European Union. It complements existing regulations and builds on established concepts such as information security, data protection, and risk management to strengthen resilience against ICT risks.

Alongside DORA, Directive 2022/2556 on digital operational resilience in the financial sector (“DORA Directive”)^[2] and Directive (EU) 2022/2557 on the resilience of critical entities, which provides for individual amendments to several directives, were also adopted. The DORA Directive, applicable from 17 January 2025, must be transposed into national law by the EU Member States.

Delegated Regulation (EU) 2024/1774 of 13 March 2024 further supplements DORA.

In relation to the NIS2 Directive, DORA takes a special position as, according to Recital 16 DORA, it is considered lex specialis and thus takes precedence over the NIS2 Directive. This precedence means that DORA provisions are primarily applicable to financial entities. In areas where the NIS2 Directive provides more specific rules than DORA, these NIS2 provisions apply in addition to DORA. The implementation of DORA and transposition of NIS2 legislation also impact national regulations and requirements. Existing national provisions (as of October 2024, the NIS2 Directive has not yet been implemented in Austria) are therefore significant.

Scope

Personal / Material Scope

DORA applies to the activities listed in Article 2(1)(a) to (t) DORA (so-called “financial entities”). These include (a) credit institutions, (b) payment institutions, including those exempted under Directive (EU) 2015/2366, (c) account information service providers, (d) electronic money institutions, including those exempted under Directive 2009/110/EC, (e) investment firms, (f) crypto-asset service providers authorised under the so-called “Markets in Crypto-Assets Regulation” and issuers of asset-referenced tokens, (g) central securities depositories, (h) central counterparties, (i) trading venues, (j) trade repositories, (k) alternative investment fund managers, (l) management companies, (m) data reporting service providers, (n) insurance and reinsurance undertakings, (o) insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries, (p) institutions for occupational retirement provision, (q) credit rating agencies, (r) administrators of critical benchmarks, (s) crowdfunding service providers, and (t) securitisation repositories.

The regulation also covers companies that provide IT services to financial entities (so-called “ICT third-party service providers”), such as cloud providers.

Exemptions

Entities falling outside the scope of DORA under Article 2(3) include: (a) alternative investment fund managers referred to in Article 3(2) of Directive 2011/61/EU, (b) insurance and reinsurance undertakings under Article 4 of Directive 2009/138/EC, (c) institutions for occupational retirement provision operating pension schemes with fewer than 15 active members, (d) natural or legal persons exempted under Articles 2 and 3 of Directive 2014/65/EU, (e) insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries classified as micro, small or medium-sized enterprises, and (f) post giro offices under Article 2(5)(3) of Directive 2013/36/EU.

Microenterprises (i.e. financial entities with fewer than ten employees and an annual turnover or balance sheet total not exceeding EUR 2 million) are widely exempt from obligations.

DORA applies to all financial entities within its scope, regardless of their size or structure. Local-level limitation of scope is not possible. Definitions such as "critical services" and "essential services" cannot be modified. If a company is affected, it applies to the entity in its entirety, including any subsidiaries or ancillary operations (in theory, even company-run childcare facilities).

Territorial Scope

The territorial scope of DORA primarily includes all financial entities and relevant ICT service providers operating in the European Union. In addition to EU-based financial entities and ICT service providers, DORA also applies to branches and subsidiaries of EU financial entities located outside the Union, provided these branches and subsidiaries provide services into the EU. This is to ensure the operational resilience of the financial sector across the Union, including where dependencies exist on global providers or international subsidiaries.

Core Content

Management of ICT Risks and Incidents

ICT Risks

Under DORA, financial entities are required to establish a comprehensive internal governance and control framework for managing information and communication technology (ICT) risks. This framework must be regularly reviewed and documented, with microenterprises only needing to conduct regular reviews. The goal is to effectively address ICT risks. The specific requirements for ICT risk management are set out in Article 5(2) DORA. Responsibility for defining, approving, and monitoring ICT risk management lies with the management body of the respective financial entity, which is also responsible for implementing the measures. Financial entities that are not classified as microenterprises must also establish an independent control function to oversee and manage ICT risks.

A central aspect of DORA is the responsibility of the management body (e.g., board of directors) for digital resilience. Business Continuity Management (BCM) serves as the key entry point for implementing this responsibility in practice. DORA requires that the management body itself possesses the necessary expertise and may no longer rigorously delegate it. This could lead to structural changes in corporate governance, such as the integration of a CIO or CTO at the board level.

ICT-Related Incidents

Furthermore, financial entities must establish processes to ensure that ICT-related incidents are promptly identified, addressed, classified, and reported. Particularly severe ICT incidents, as defined under Article 18(1) DORA, must be reported to the competent supervisory authorities through a three-stage procedure. In cases where serious ICT incidents affect the financial interests of customers, financial entities must inform their customers immediately upon becoming aware of the incident. Cyber threats deemed significant under Article 18(2) DORA must also be recorded and may be reported voluntarily.

To support financial entities in implementing these requirements, the European Supervisory Authorities have issued several technical regulatory standards. These include provisions on the tools, methods, processes, and policies for ICT risk management, as well as simplified risk management frameworks for microenterprises. Further RTS specify criteria for classifying ICT incidents and cyber threats, as well as materiality thresholds and reporting requirements for major incidents. Reporting and classification of ICT-related incidents must be carried out using harmonised standard templates.^[3] The authorities to which reports must be submitted differ from those under the NIS2 Directive. Clear determination and internal communication of reporting obligations and recipient authorities is essential.

Testing of Digital Operational Stability

Significant financial entities are required to conduct threat-led penetration tests (TLPT). These tests — also conducted in the production environment — target the company’s core IT systems. This enables obligated entities to identify weaknesses, deficiencies, and gaps in digital operational resilience and take corrective actions immediately. The tests must be conducted by independent parties to ensure objective evaluation. They are to be performed at least annually on ICT systems or applications that support critical or important functions. The aim is to ensure continuous resilience in these key areas.

Article 25(1) DORA specifies different types of tests that may be considered, including simulations, red teaming, or penetration tests. Additionally, under Article 26 DORA, certain financial entities are required to carry out threat-led penetration tests at least every three years, simulating realistic threat scenarios. These tests aim to uncover vulnerabilities that traditional security measures may not detect.

The specific requirements and elements of these TLPTs are defined in the Regulatory Technical Standards (RTS) issued by the European Supervisory Authorities (EBA, ESMA, and EIOPA – collectively the “ESAs”). The methodology to be applied is based on the TIBER-EU framework (“Threat Intelligence-Based Ethical Red Teaming”), which is implemented in Austria through TIBER-AT.

Supply Chain Management

DORA imposes clear requirements on the management of ICT third-party risk and contractual arrangements with ICT third-party providers that financial entities must observe. Except for microenterprises, financial entities are required to develop and regularly review a strategy for managing ICT third-party risk. This strategy includes guidelines on the use of ICT third-party services to effectively manage risks arising from external service providers. The ESAs have published RTS detailing the contents of these guidelines.^[4]

Information Register

A key requirement is that financial entities must maintain an up-to-date information register containing details of all outsourced ICT processes. This register includes the respective contractual arrangements and classification of processes as critical or non-critical. These details must be made available to competent authorities upon request. Furthermore, financial entities must annually report the number of new agreements with ICT third-party providers, the services and functions provided, and the nature of the contractual arrangements. Entities must also promptly report to authorities any planned new arrangements involving critical functions or any change in the classification of a function as “critical.”

Contracts

Before concluding a contract with an ICT third-party provider, financial entities must conduct a risk assessment taking into account the criteria in Article 28(4) and (5) DORA. During contract negotiations, they must ensure the definition of audit frequencies and the audit scope to maintain control over critical systems. Additionally, contractual termination rights and appropriate exit strategies must be defined, especially for critical or important functions.

Practical Tip: Medium-sized enterprises should prepare model contracts to clearly regulate requirements for third-party providers. Many SMEs lack centralized contract frameworks, complicating implementation.

Furthermore, Article 30 DORA sets out specific contractual provisions for subcontracting by ICT third-party providers, also defined in ESA technical standards. These rules govern, among other things, the permissibility and criteria of subcontracting. ICT providers are fully subject to DORA.

Supervision

The supervision of ICT third-party providers is carried out by the ESAs, which under Article 31(2) DORA may designate them as “critical.” A lead supervisory authority will be appointed for each critical ICT third-party provider, with far-reaching powers, including information requests, inspections, and recommendations regarding security requirements and subcontracting. Central audits of ICT providers may also be conducted. It remains to be clarified which Austrian authority (possibly the FMA) will carry out such audits.

Practical Tip: If central audits of large ICT providers are conducted, companies can rely on those results and minimize their own decentralized audits.

Information Sharing

DORA allows financial entities to share information and insights on cyber threats with each other — within trusted communities and while maintaining confidentiality of potentially sensitive information. This promotes awareness and strengthens the ability to prevent and mitigate the impact of ICT incidents. This information sharing is voluntary under DORA. Participation or withdrawal from such an arrangement must be reported to the FMA.^[5]

Case Examples

• Scope: A bank purchases its core banking system from an external provider and only manages the contract. The bank must still ensure compliance with DORA requirements, particularly concerning risk and supply chain management.

• In companies with centralized IT governance, such as holding structures, governance design and integration must be clearly defined and enforced. This applies to both operational units and the organization as a whole.

Synergies

Data Protection

• Data protection and information security are closely interlinked concepts that must be considered together. Any measure, such as monitoring and logging, must also be examined in terms of data protection requirements. Article 88 GDPR emphasizes the protection of human dignity in the workplace, which is especially relevant when using invasive technologies such as AI-based anomaly monitoring. The use of AI systems to detect and report anomalies is increasing, potentially posing significant privacy intrusions into employee data. These impacts must be carefully assessed under both GDPR and DORA. • Standards such as ISO 27001 and ÖNORM A 2017:2023:06:01 combine data protection and data security and serve as a suitable reference for implementing DORA. They can be conceptually integrated with the corresponding DORA standards as implementation structures.

NIS2 Directive

The Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) developed under DORA offer valuable guidance for implementing the NIS2 Directive:

• Risk Management: DORA’s RTS on ICT risk management can serve as templates for similar frameworks under NIS2.

• Incident Reporting: The ITS on reporting major incidents provide standardized templates adaptable to NIS2-covered entities.

• Third-Party Management: DORA’s RTS on the use of ICT services and subcontracting can be used as best practices for supply chain risk management under NIS2.

• Penetration Testing: The RTS on Threat-Led Penetration Testing (TLPT) under DORA provides detailed specifications also relevant for critical infrastructure under NIS2.

RTS on ICT risk management (Art. 15, Art. 16(3))

• RTS on classification of ICT-related incidents (Art. 18(3)) • RTS on contractual arrangements with ICT third-party providers (Art. 28(10)) • ITS on the information register (Art. 29(9)) • RTS on reporting of major ICT-related incidents and significant cyber threats (Art. 20a) • ITS on reporting of major ICT-related incidents and significant cyber threats (Art. 20b) • RTS on threat-led penetration testing (Art. 26(11)) • RTS for the harmonization of supervisory activities (Art. 41(1)) • RTS on criteria for composition of the Joint Examination Team (Art. 41(1)(c))

• RTS on subcontracting to ICT third parties (Art. 30(5))

Konsequenzen/Strafen

Fines

DORA imposes strict fines and penalties for violations to ensure digital operational stability in the financial sector:

 Financial institutions: Nationally determined, in Austria up to EUR 500,000 or up to 1% of global annual turnover (DORA Implementation Act – DORA-VG)  
   Critical ICT third-party providers: Up to 1% of global annual turnover

Administrative Measures

   Revocation or suspension of license (Art. 50)  
   Mandatory corrective measures (Art. 50)

Criminal Consequences

   Potential criminal prosecution of executives in cases of gross negligence (Art. 11)  
   National provisions may include prison sentences (Art. 52)

Sources

↑ DORA Implementation Act (DORA-VG) https://www.parlament.gv.at/gegenstand/XXVII/I/2596.
↑ Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 on digital operational resilience in the financial sector, OJ L 2022/333, 153.
↑ European Banking Authority, Joint Technical Standards on major incident reporting, https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/joint-technical-standards-major-incident-reporting (accessed 22 January 2025).
↑ https://www.eba.europa.eu/publications-and-media/press-releases/esas-published-second-batch-policy-products-under-dora
↑ FMA, DORA – Information Sharing and Emergency Exercises, https://www.fma.gv.at/querschnittsthemen/dora/dora-informationsaustausch-und-notfalluebungen/ (accessed 22 January 2025).

[1] DORA Implementation Act (DORA-VG) https://www.parlament.gv.at/gegenstand/XXVII/I/2596.

[2] Directive (EU) 2022/2556 of the European Parliament and of the Council of 14 December 2022 amending Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 on digital operational resilience in the financial sector, OJ L 2022/333, 153.

[3] European Banking Authority, Joint Technical Standards on major incident reporting, https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/operational-resilience/joint-technical-standards-major-incident-reporting (accessed 22 January 2025).

[4] ttps://www.eba.europa.eu/publications-and-media/press-releases/esas-published-second-batch-policy-products-under-dora

[5] FMA, DORA – Information Sharing and Emergency Exercises, https://www.fma.gv.at/querschnittsthemen/dora/dora-informationsaustausch-und-notfalluebungen/ (accessed 22 January 2025).

[2]

[3]

[4]

[5]