EU's DORA Elevates SRE Metrics to Legal Standard

- The Digital Operational Resilience Act (DORA) entered into force on January 16, 2023, and becomes fully applicable on January 17, 2025, providing a 24-month implementation period for financial institutions. - DORA applies to over 22,000 financial entities and ICT service providers operating within the EU, including banks, investment firms, insurance companies, and crypto-asset service providers. - Penalties for non-compliance are substantial, with financial institutions facing fines of up to 2% of their total annual worldwide turnover. Senior management can also be held individually liable with personal fines up to €1 million for compliance failures. - The regulation establishes a direct oversight framework for critical ICT third-party providers, such as cloud services, which will be designated by the European Supervisory Authorities (ESAs). These critical providers can face fines up to €5 million for non-compliance. - DORA mandates a comprehensive ICT risk management framework that requires systematic processes to identify, assess, and monitor both internal and third-party IT risks. This includes detailed contractual requirements for ICT service providers covering aspects like service level agreements, audit rights, and exit strategies. - Financial entities are required to implement a standardized process for reporting major ICT-related incidents to competent authorities and, in some cases, to affected clients. - The regulation mandates regular digital operational resilience testing, including advanced threat-led penetration testing for certain entities, to identify vulnerabilities and assess the effectiveness of defensive measures. - DORA is designed to harmonize existing regulations across the EU, replacing a patchwork of national rules with a single, comprehensive framework for managing ICT risk in the financial sector.