Digital Operational Resilience Act
DORA harmonises digital operational resilience for EU financial institutions, focusing on ICT risk management, incident reporting, resilience testing, information sharing and ICT third-party risk.
Scope
- Financial institutions and group governance
- ICT services for critical or important functions
- Critical ICT third-party providers under EU supervisory framework
Core obligations
- Document and annually improve ICT risk management
- Operate reporting processes for major ICT incidents
- Maintain resilience tests and lessons learned
- Maintain information register for ICT third-party contracts
Register objects
- Critical function
- ICT service
- Provider
- Contract
- Subcontractor
- Exit plan
- Control evidence