What is DORA, and how does it change ICT risk management requirements for financial institutions?

The Digital Operational Resilience Act (DORA) is an EU regulation that establishes a comprehensive framework for ICT (Information and Communications Technology) risk management in financial services. It went into full application in January 2025 and represents a significant expansion of operational resilience requirements beyond traditional operational risk frameworks.\n\nWhat DORA Covers (Five Pillars):\n\n| Pillar | Requirement | Key Change from Pre-DORA |\n|---|---|---|\n| 1. ICT Risk Management | Comprehensive ICT risk framework | Mandatory standards (not just guidelines) |\n| 2. Incident Reporting | Classify and report ICT incidents | Harmonized reporting across EU |\n| 3. Digital Resilience Testing | Regular testing including TLPT | Threat-led penetration testing required |\n| 4. Third-Party Risk | Manage ICT service provider risk | Direct regulatory oversight of critical providers |\n| 5. Information Sharing | Share cyber threat intelligence | Voluntary but encouraged framework |\n\nPractical Impact -- Example at Hartfield Investment Bank:\n\nChief Risk Officer Duncan must implement DORA compliance. The major changes:\n\nPillar 1 -- ICT Risk Framework:\n- Must identify and classify all ICT assets, dependencies, and interconnections\n- Board-level ICT risk strategy document required (updated annually)\n- ICT budget allocation must be justified and documented\n\nPillar 2 -- Incident Reporting:\nPreviously, Hartfield reported ICT incidents to 4 different national regulators in different formats. Under DORA:\n- Single classification taxonomy for ICT incidents\n- Report to competent authority within 4 hours of detection (initial notification)\n- Intermediate report within 72 hours\n- Final report within 1 month\n- Criteria for \"major incident\": affects >10% of clients, downtime >2 hours, data breach >5,000 records, or financial impact >EUR 100,000\n\nPillar 3 -- Testing:\n- Basic resilience testing: annual vulnerability scans, network security assessments\n- Advanced TLPT (Threat-Led Penetration Testing): every 3 years for systemically important institutions\n- TLPT must be conducted by independent external testers using threat intelligence\n- Estimated cost for Hartfield: EUR 800,000 per TLPT cycle\n\nPillar 4 -- Third-Party Risk (Most Disruptive):\nHartfield uses 47 ICT service providers (cloud, data, communications). Under DORA:\n- Must maintain a register of all ICT third-party providers\n- Contractual requirements: audit rights, SLAs, exit strategies, data location\n- Critical third-party providers (e.g., major cloud hyperscalers) are directly supervised by European Supervisory Authorities (ESAs)\n- Must have exit strategies for every critical provider (multi-cloud or on-premise fallback)\n\nRisk Manager Preparation Checklist:\n1. Complete ICT asset inventory and dependency mapping\n2. Establish incident classification and reporting workflow\n3. Schedule TLPT with qualified testing firms\n4. Review and amend all ICT provider contracts\n5. Develop exit strategies for critical providers\n6. Train the board on ICT risk governance responsibilities\n7. Budget for ongoing compliance (estimated 15-25% increase in ICT risk management costs)\n\nStudy operational resilience topics in our FRM course.