Let us know how we can help

Sales & Pricing

Speak to a rep about your business needs

Contact Sales

Help & Support

See our product support options

Contact Support

General inquiries and locations

Contact us

Popular destinations

DORA? The Digital Operational Resilience Act Explained

DORA is a regulation that enhances the operational resilience of information and communication technology (ICT) and third-party providers in the EU financial sector.

Jump to a section

Connect with us

The Digital Operational Resilience Act, also known as DORA, is a pivotal EU regulation designed to enhance the operational resilience of digital systems that support financial institutions operating in European markets, with a comprehensive focus on risk management, incident response, and governance.

play

Featured learning experience:

The Digital Operational Resilience Act (DORA) and Your Mainframe System (2:02)

watch now right-arrow

DORA regulations fortify mainframe operations and ensure resilience to shield your organization from financial penalties and reputational risks.

“With new regulations like the Digital Operational Resilience Act (DORA) in Europe, resilience is now a legal mandate. The conclusion is clear: Operations teams must rise to the challenge of modern mainframe resilience.”

Jason Bloomberg, Intellyx – Founder & Principal Analyst

What you need to know about DORA

  • The Digital Operational Resilience Act timeline started with formal adoption by the Council of the European Union and the European Parliament in November 2022, and DORA regulations will go into effect on January 17, 2025.
  • Financial entities and third-party ICT service providers have until January 17, 2025, to comply with DORA before enforcement starts.
  • The DORA law addresses key components such as service visibility, risk mitigation, business continuity, incident management, and governance, guiding organizations in building resilient frameworks that withstand challenges and align with the dynamic landscape of digital operations.
Read the DORA Survival Guide eBook

The purpose of DORA

Why is DORA happening?

  • There is currently no framework for the management and mitigation of ICT risk that spans the entire European financial sector.
  • The DORA regulatory act aspires to establish a framework by comprehensively harmonizing risk management rules across the EU and ensuring that every financial institution is held to the same high standard.
  • DORA compliance aims to eliminate the complexities arising from gaps, overlaps, and conflicts between diverse regulations in different member states, streamlining compliance for financial entities while enhancing the resilience of the entire EU financial system.

Technical requirements of DORA

There are five technical requirements that DORA outlines:

ICT risk management and governance

This requirement involves strategizing, assessing, and implementing controls. Accountability spans all levels, with entities expected to prepare for disruptions. Plans include data recovery, communication strategies, and measures for various cyber risk scenarios.

Incident reporting

Entities must establish systems for monitoring, managing, and reporting ICT incidents. Depending on severity, reports to regulators and affected parties may be necessary, including initial, progress, and root cause analyses.

Digital operational resilience testing

Entities must regularly test their ICT systems to assess protections and identify vulnerabilities. Results are reported to competent authorities, with basic tests annually and threat-led penetration testing (TLPT) every three years.

Third-party risk management

Financial firms must actively manage ICT third-party risk, negotiating exit strategies, audits, and performance targets. Compliance is enforced by competent authorities, with proposals for standardized contractual clauses under exploration.

Information sharing

Financial entities are urged by the DORA to develop incident learning processes, including participation in voluntary threat intelligence sharing. Shared information must comply with relevant guidelines, safeguarding personally identifiable information (PII) under the EU's General Data Protection Regulation (GDPR).

Focus areas of DORA for the mainframe

The Digital Operational Resilience Act’s core principles ensure that financial institutions understand their entire IT landscape, including their third-party service suppliers, and can identify potential vulnerabilities and risks and implement robust automated strategies to protect their systems, data, and customers from cyberthreats and other disruptions. While the DORA regulatory focus is on ICT and third-party risk management, incident reporting, resilience testing, and information sharing, firms with mainframe systems should also consider the following:

DORA operational resilience toolchain

DORA outlines five considerations for rapid response, recovery, and compliance that align with the aforementioned key aspects of DORA as they relate to the mainframe.

Identify

Understanding risk to systems, people, assets, data, and capabilities, including business context, policies, and vulnerabilities.

Protect

Ensure safeguards to limit or contain the impact of a potential cybersecurity event. Fortify defenses to ensure the integrity and security of critical data and systems.

Detect

Discover cybersecurity events and anomalies in real time and understand their potential impact. Identify and understand potential threats for swift mitigation.

Respond

Take action to limit the impact of cybersecurity events and anomalies. Well-defined response mechanisms and protocols in place.

Recover

Restore data, systems, and operations to normal conditions. Ensure systems can bounce back efficiently and effectively.

Resources

Ready to speak with an expert?