What are DORA’s five pillars?

Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) aims to strengthen ICT risk management in the EU financial sector to help ensure that financial entities can continue operating if they face severe operational disruptions or cyberattacks.

DORA focuses on five key areas:

  1. ICT risk management
  2. ICT third-party risk management
  3. Incident management and reporting
  4. Digital operational resilience testing as
  5. Information and intelligence sharing

***

Get weekly insights from The Intuition Finance Digest. Elevate your understanding of the finance world with expertly-crafted articles and podcasts sent straight to your inbox every week. Click here: https://www.intuition.com/finance-insights-the-intuition-finance-digest/

***

How does DORA apply proportionately to different financial entities?

Given the diverse nature of the EU’s financial sector, DORA employs the principle of proportionality.

Financial entities’ regulatory requirements differ depending on their size, as well as the nature and complexity of their operations and the services they offer.

Know-How spotlight: AI, AI ethics, ESG risk and more

What does Pillar 1: ICT Risk Management require?

What does Pillar 1: ICT Risk Management require?

Financial entities must have a robust risk-management framework to identify, assess, manage and monitor ICT risks.

Financial entities must have an internal governance and control framework that will ensure the effective and prudent management of ICT risks.

The management body of a financial entity is ultimately responsible for managing ICT risk.

Under the first pillar of DORA, financial entities must establish a robust ICT risk management framework that sets out how the entity identifies, manages and mitigates ICT risk and provides the framework within which the details set out in the remaining four pillars operate.

What does Pillar 2: ICT Third‑Party Risk Management involve?

What does Pillar 2: ICT Third‑Party Risk Management involve?

DORA sets out obligations on financial entities and ICT third-party service providers in respect of ICT third-party services.

Where a financial entity relies upon an ICT third party, the financial entity is fully responsible for DORA compliance.

Financial entities engaging ICT third parties must have a due diligence and engagement process.

Addressing concentration risk requires identifying possible single points of failure and taking action to minimise the risk, such as limiting the number of services provided by a single provider and putting fallback plans in place.

Different types of AI: Super, narrow, & general

What are the incident management and reporting obligations under Pillar 3?

What are the incident management and reporting obligations under Pillar 3?

Financial entities must have a process to detect, manage, classify, and notify ICT-related incidents.

Financial entities must report all major ICT-related incidents to their competent authority. An initial report must be made within four hours of an entity deciding that an incident is major, and no later than 24 hours from the time the financial entity first becomes aware of the incident.

An intermediate notification must be sent within 72 hours, outlining progress made in resolving the incident. Further updates must be provided every time a relevant status update is available.

A final report must be provided when a root cause analysis has been completed. This must be no later than one month from the submission of the last intermediate report.

How does Pillar 4: Digital Operational Resilience Testing work?

How does Pillar 4: Digital Operational Resilience Testing work?

Digital operational resilience testing, the fourth pillar, requires financial entities to test their ICT systems regularly to ensure their strength and to identify vulnerabilities.

Financial entities must establish and maintain a sound and comprehensive digital operational resilience testing programme.

This programme assesses a financial entity’s preparedness for handling ICT-related incidents. It involves identifying weaknesses, dependencies and gaps in digital operational resilience and promptly implementing corrective measures.

Some financial entities, particularly those that play a systemic role in core financial subsectors, should carry out TLPT at least every three years.

Why does Pillar 5 encourage information and intelligence sharing?

Finally, DORA encourages financial entities to share information on cyber threats.

Such information sharing can contribute to an increased awareness of cyber threats, which enhances financial entities’ capacity to prevent these threats from becoming real ICT-related incidents.

Financial entities are encouraged to exchange among themselves cyber threat information and intelligence and to collectively leverage their knowledge and experience at strategic, tactical and operational levels to enhance their capabilities to assess, monitor, defend against, and respond to cyber threats.

Financial entities should notify their competent authority of their participation in such information-sharing arrangements.

As part of Intuition Know‑How’s forthcoming release, we will introduce a dedicated DORA tutorial that covers the regulation’s scope, its five operational‑resilience pillars, incident‑reporting timelines and supervisory expectations, equipping your teams to embed compliance with confidence.

Browse full tutorial offering