The DORA aims at establishing uniform rules for digital operational resilience in the financial sector. It introduces requirements for the security of information and communication technologies (ICT). Its aim is to establish a coherent level playing field across the financial sector for digital operational resilience.
For certain critical ICT service providers, an oversight framework will be established bringing those providers directly under a supervisory regime. Those providers will be subject to supervision themselves. Measures can then be taken directly against the provider (such as on-site inspection, request for information, etc.).
The DORA addresses the financial and insurance industry, asset managers, and certain service providers such as rating agencies, administrators of critical benchmarks, statutory auditors and audit firms as well as securitization repositories – together referred to as 'financial entities’. Crypto asset service providers and issuers of crypto assets also fall within this definition.
Financial entities are required to implement ICT risk management requirements, ICT-related incident reporting, conduct digital operational resilience testing, and ensure a sound monitoring of ICT third-party risk and exchange information on cyber threats. As part of the ICT risk management framework special attention needs to be given to the obligation to implement policies and protocols for strong authentication mechanisms with a view to crypto assets.
"[...] the regulation acknowledges that significant differences exist between financial entities in terms of size, business profiles or in relation to their exposure to digital risk. Since larger financial entities have more resources, only financial entities not qualifying as microenterprises are required, for instance, to establish complex governance arrangements, dedicated management functions, perform in-depth assessments after major changes in the network and information system infrastructures, regularly conduct risk analyses on legacy ICT systems, expand the testing of business continuity and response and recovery plans to capture switchover scenarios between their primary ICT infrastructure and redundant facilities. Moreover, only financial entities identified as significant for the purposes of the advanced digital resilience testing will be required to conduct threat led penetration tests (Excerpt from “Other Elements”).