DORA (Digital Operational Resilience Act)

What is the DORA (Digital Operational Resilience Act)?

DORA is an EU Act that wants to make sure the financial sector in Europe can stay resilient through a severe operational disruption. It delineates technical standards for all financial service institutions, from banking to insurance, to asset management.

Specifically, EU financial entities are required to have strong IT risk management capabilities and specific mechanisms for handling and reporting IT-related incidents. They should also have policies in place for testing IT applications and managing third-party risks. DORA holds companies responsible for the security of their apps and products, even parts that are taken from libraries are the company’s responsibility. The DORA requirements consider the entity’s size, risk profile, and the nature of their services. Critical IT third-party service providers are subject to strict oversight by the European Supervisory Authorities.

DORA requirements have entered into force 16th January 2023 and financial entities will be expected to be compliant with DORA by 17th January 2025.

DORA requirements applying to mobile data

IT risk management

Financial companies should set-up and maintain resilient IT systems. All IT risks should always be identified in order to set-up protection and prevention. A prompt detection of anomalous activities should be established.

IT-related incident reporting

Financial companies should implement a monitoring process and log IT-related incidents. They should classify incidents and report them to the respective authorities and the companies’ users and clients.

Digital operational resilience testing

Elements within the IT risk management framework should be periodically tested for preparedness. Any weaknesses, deficiencies or gaps must be identified and promptly eliminated or mitigated with the implementation of counteractive measures. And digital operational resilience testing requirements must be proportionate to the entities’ size, business and risk profiles.

IT third-party risk

Companies must monitor any risks that come from using technology from other companies. They should be consistent and harmonise their service with the third-party to be able to completely monitor details such as a full-service level description, the locations where data is being processed, etc. The contract with these third parties should contain these details.

Information sharing

The guidelines encourage companies to support defensive and detection techniques, mitigation strategies or response and recovery stages.

Ensure your applications comply with DORA

To be compliant, DORA requires financial service providers, such as banks, must manage all components of operational resilience. After DORA, they must also follow rules for the protection, detection, containment, recovery and repair capabilities against IT-related incidents.

Pradeo’s app suite provides all the tools needed to comply with DORA. The RASP solution detects risks and prevents attacks in real-time, while the Mobile Application Security Testing solution ensures that the application is secure and compliant.