Smart digital content platform

Smart Digital Content Platform

DORA Regulation: new regulatory framework for cybersecurity in the financial and insurance sector

Discover the key requirements of the DORA Regulation (EU): digital operational resilience in the financial sector and its implications for ICT providers.
Reglamento DORA: nuevo marco regulador de ciberseguridad en el sector financiero y aseguradoras / DORA Regulation
Picture of Almudena Delgado

Almudena Delgado

DORA Regulation: the EU’s Digital Operational Resilience Law

The Digital Operational Resilience Act, also known as the DORA Regulation, is European Union legislation that establishes a regulatory framework to strengthen the operational resilience of digital systems used by the financial sector.

In an era where digital technologies play a central role in the financial industry, the need for robust security and resilience has never been more crucial. The DORA Regulation seeks to establish a standardised framework across all EU member states, ensuring a high level of digital operational resilience that can withstand, respond to and recover from a wide range of ICT-related disruptions and threats.

Who will be affected by the DORA Regulation?

The DORA regulation will have a widespread impact on a number of entities within the EU financial sector. This includes:

  • Banks and Credit Institutions: as the backbone of the financial sector, banks will need to comply with stringent measures to ensure that their digital operations are resilient.
  • Insurance Companies: given their reliance on digital platforms for customer interactions and data processing, insurers are a prime target of the DORA Regulation.
  • Investment firms: with digital trading and asset management being central to their operations, investment firms are under the scope of the DORA Regulation.
  • Payment Institutions and Electronic Money Institutions: as facilitators of digital transactions, these institutions are crucial to the financial ecosystem and must comply with the DORA regulations.
  • Crypto Asset Service Providers: reflecting the growing importance of digital currencies, providers handling crypto assets are also included.

Purpose and Objectives of the DORA Regulation

The main purpose of the DORA Regulation is to upgrade the financial sector’s ability to remain operational during severe operational disruptions. Its objectives include:

  • Strengthening ICT Risk Management: by enforcing robust ICT risk management requirements, the DORA Regulation aims to minimise the impact of ICT-related disruptions.
  • Harmonisation of Standards across the EU: the Digital Operational Resilience Act seeks to create a cohesive framework across member states, eliminating disparities in digital operational resilience.
  • Increased Supervision and Reporting Obligations: DORA introduces rigorous supervisory mechanisms and reporting obligations for financial institutions, ensuring transparency and accountability.
  • Promoting Cybersecurity and Resilience: the regulation emphasises the importance of cybersecurity and the ability of financial institutions to recover quickly from ICT-related incidents.

Implementation Timeline

The DORA regulation is expected to come into force from January 2025. The compliance timeline is crucial for affected entities to prepare and align their operations with the new regulations.

Key provisions and requirements

The DORA Regulation covers a number of key provisions and requirements with which financial institutions and insurers must comply, including:

  • ICT Risk Management: implementation of comprehensive risk management policies and procedures.
  • Testing and Reporting: regular testing of ICT systems and mandatory reporting of incidents to regulatory authorities.
  • Third Party Risk Management: oversight of third party service providers, ensuring that they comply with the resilience standards set by the Digital Operational Resilience Act.
  • Digital Operational Resilience Testing: conducting resilience tests to assess the ability to handle various types of ICT disruptions.

Impact on External ICT Providers and DORA Compliance

Third-party ICT providers are indirectly affected by the DORA regulation, as financial institutions can only contract with providers that comply with the high information security standards set by the regulation. To comply with the DORA regulation, ICT providers must implement robust security measures, undergo audits and ensure transparency in their operations. In addition, they must work closely with financial institutions and insurance companies to ensure compliance and digital operational resilience at all stages of their contractual relationship.

In order for third-party ICT providers to comply with the requirements of the DORA regulation, as well as other relevant standards and regulations in the financial sector, it is essential to adopt an inclusive, multi-standard approach:

  • ICT security risk management: ICT providers should implement a comprehensive approach to identify, assess and manage information security risks in their systems and services. This involves the adoption of recognised risk management frameworks, such as that established by the ISO 27001 standard, which provides a systematic approach to managing information security.
  • ICT incident management: ICT providers should have procedures in place for the management of information security incidents, including incident detection, response, mitigation and communication. This involves implementing an incident management process that complies with the requirements of applicable regulations, such as the General Data Protection Regulation (GDPR) and NIS legislation.
  • Regular testing and audits: ICT providers should conduct regular tests and audits of their systems and services to assess their digital operational resilience. This may include vulnerability testing, penetration testing, security audits and compliance assessments with standards such as PCI-DSS and ISO 27001.
  • Third-party risk management: ICT providers must manage the risks associated with their technology service providers and subcontractors. This involves assessing the security of third-party suppliers, establishing service provision contracts that include security clauses, and conducting third-party audits to verify compliance with security standards.
  • Training and awareness: ICT providers should provide information security training and awareness to their staff, to ensure that they are familiar with security policies and procedures and can identify and respond appropriately to security threats.
  • Continuous upgrade and PDCA model: ICT providers should adopt a continuous upgrade approach based on the Plan-Do-Check-Act (PDCA) cycle. This involves regularly reviewing and updating security measures, conducting lessons learned analysis of security incidents, and adjusting policies and procedures based on newly identified threats and vulnerabilities.

Strengthening digital information security

To ensure robust control in the corporate environment without compromising the security of electronic documentation, Athento implements rigorous security controls on an ongoing basis, in line with the provisions of the DORA Regulation:



Recovery and continuity

Athento not only presents itself as a robust technical solution, but goes beyond the traditional role of document management software. It offers features such as automatic backups, version control, audit trail and comprehensive security controls, making it an essential ally for companies looking for security and efficiency in the management of their electronic documentation.

By adopting Athento, companies not only guarantee the confidentiality of their documents, but also set a high standard for information integrity in a constantly evolving digital environment.

If you want to know more about Athento, try it for free or contact our team.