Compliance Briefing — December 27, 2022
The Digital Operational Resilience Act (DORA) was published in the EU Official Journal, starting the countdown toward its January 2025 application for financial entities and ICT providers.
Executive briefing: On December 27, 2022, Regulation (EU) 2022/2554 — the Digital Operational Resilience Act — appeared in the Official Journal. DORA harmonizes ICT risk management, incident reporting, testing, and third-party oversight requirements across EU financial services, with application beginning January 17, 2025.
Immediate compliance priorities
- Program mobilization. Stand up cross-functional DORA programs covering ICT risk, cybersecurity, procurement, and operational resilience teams.
- Gap analysis. Benchmark current frameworks against DORA obligations for risk management, incident response, and digital operational resilience testing.
- Third-party inventory. Catalogue critical ICT third parties, including cloud and outsourcing providers, and prepare for oversight per the forthcoming Lead Overseer regime.
Control alignment
- Incident reporting. Build workflows to meet the layered reporting obligations (initial, intermediate, final) and taxonomy under development by ESAs.
- Testing. Plan for threat-led penetration tests and scenario exercises aligned with DORA's advanced testing requirements.
- Contract management. Update ICT outsourcing agreements to include resilience, access, and termination clauses mandated by DORA.
Enablement moves
- Monitor regulatory technical standards from the ESAs detailing implementation specifics.
- Engage boards and senior management on DORA governance accountabilities and reporting duties.
- Coordinate with industry groups to share best practices on resilience testing and ICT third-party oversight.
Sources
- Official Journal: Regulation (EU) 2022/2554 (DORA)
- ESMA: Publication of DORA in the Official Journal
Zeph Tech assists financial institutions with DORA-aligned ICT risk management, incident response, and third-party governance capabilities.