EU DORA Regulation Enters into Force — January 16, 2023

Executive briefing: On 16 January 2023 the Digital Operational Resilience Act (DORA) entered into force, establishing a harmonised supervisory framework for ICT risk management in the EU financial sector. Banks, insurers, investment firms, critical third-party providers, and other covered entities now face a 17 January 2025 application date to implement prescriptive controls for incident handling, testing, and third-party oversight.

Key requirements

• ICT risk management. Articles 5–14 require governance accountability, continuous monitoring, logging, and security awareness programmes tailored to operational resilience threats.
• Incident reporting. Firms must classify ICT-related incidents, notify competent authorities within tight timelines, and submit post-incident reviews that capture root causes and remediation.
• Third-party oversight. The regulation introduces register and contract obligations for ICT service providers, plus oversight powers for critical suppliers designated by the European Supervisory Authorities.

Control alignment guidance

• ISO/IEC 27001 A.15. Update supplier due diligence templates to capture DORA contract clauses, resilience testing expectations, and exit strategies.
• NIST CSF PR.IP. Expand operational resilience exercises and scenario testing to meet DORA’s digital operational resilience testing (DORT) mandates.
• FFIEC CAT. Map incident reporting obligations to ensure U.S. head offices can coordinate with EU regulators within required windows.

Operational recommendations

• Assemble a DORA implementation programme spanning compliance, ICT, risk, procurement, and business continuity teams to coordinate the 2025 go-live.
• Inventory intra-group and external ICT providers to confirm register completeness, concentration risk assessments, and layered exit plans.
• Plan cross-border tabletop exercises that validate DORA incident classification logic alongside sector-specific regulations such as PSD2 and Solvency II.