DORA Regulation Drives Engineering Metrics

- The Digital Operational Resilience Act (DORA) became fully applicable on January 17, 2025, after entering into force on January 16, 2023. It establishes a comprehensive framework for digital operational resilience across the EU's financial sector. - DORA mandates a stringent ICT risk management framework, requiring financial entities to identify, classify, and document critical functions and assets, continuously monitor for risks, and establish robust business continuity and disaster recovery plans. - For major ICT-related incidents, firms must provide an initial notification to authorities within four hours of classification and no later than 24 hours after detection, followed by an intermediate report within 72 hours, and a final report within one month. - The regulation introduces a significant focus on third-party risk, requiring financial institutions to map all ICT dependencies, including those of subcontractors, and ensure contracts include specific clauses for audit rights, exit strategies, and resilience measures. - Non-compliance can lead to substantial financial penalties, with fines of up to 2% of the total annual worldwide turnover for financial entities. Critical third-party ICT providers can face fines up to €5 million. - Advanced digital operational resilience testing, including threat-led penetration testing (TLPT), is required periodically for ICT services that impact critical functions. Third-party ICT providers are obligated to participate in these tests. - The management body of a financial entity is now directly accountable for the institution's ICT risk management, including approving the resilience strategy and overseeing its implementation. - DORA's scope is extensive, covering over 22,000 financial entities and their ICT service providers within the EU, and it also applies to non-EU ICT providers that are critical to the operations of EU-based financial institutions.