Contact us

Navigating the Digital Operational Resilience Act (DORA)

DORA Financial reporting
Published Oct 04, 2024  | 4 min read
  • Image of Janis Steinmann

    Janis Steinmann

As the digital landscape continues to evolve rapidly, ensuring the resilience of financial systems against cyber threats and operational disruptions has become a top priority for regulatory bodies worldwide. One of the most significant regulatory developments in this realm is the European Union's Digital Operational Resilience Act (DORA). At Lucanet, we're dedicated to helping financial institutions navigate these regulatory challenges with our cutting-edge financial software. In this blog post, we'll delve into what DORA entails, its implementation timeline, the entities required to report under this regulation, and the responsibility framework that governs it.

 

What is the Digital Operational Resilience Act (DORA)?

DORA, a landmark legislative measure, aims to bolster the digital operational resilience of the EU's financial sector. The primary objective of DORA is to ensure that all entities operating within the financial system possess the necessary safeguards to withstand, respond to, and recover from various types of disruptions and cyber threats. This regulation encompasses an extensive range of requirements, from robust ICT (Information and Communication Technology) risk management protocols to stringent incident reporting and third-party risk oversight.

The responsibility for overseeing the implementation and enforcement of DORA rests with a combination of EU and national authorities. Predominantly, two primary entities are at the helm:

  • The European Supervisory Authorities (ESAs) - Including EBA (European Banking Authority), EIOPA (European Insurance and Occupational Pensions Authority), and ESMA (European Securities and Markets Authority). These authorities will provide guidance, supervision, and enforcement at the EU level.
  • National Competent Authorities (NCAs) - Each EU Member State will involve their respective NCAs to monitor compliance at a national level, ensuring entities adhere to the regulations within their jurisdiction.

 

When will DORA come into force?

DORA was adopted by the European Parliament and the Council in November 2022. As stipulated in the regulation, DORA will officially come into force on January 17, 2025. This implementation timeline provides financial entities with a transitional period to align their operations and systems in accordance with the new regulatory requirements.

 

Who needs to report under DORA?

DORA casts a wide net, covering a multitude of entities operating within the financial sector. The regulation mandates that the following types of organizations must comply and report:

  1. Credit institutions - Including traditional banks and digital banks. 
  2. Investment firms - Companies that provide investment services and activities. 
  3. Insurance and reinsurance companies - Entities providing various insurance products. 
  4. Payment institutions - Firms involved in providing payment services. 
  5. Electronic money institutions - Companies issuing electronic money. 
  6. Crypto-asset service providers (CASPs) - Businesses offering crypto-asset services. 
  7. Trading venues and central counterparties - Including stock exchanges and clearinghouses. 
  8. Financial market infrastructures - Such as central securities depositories. 
  9. Third-party ICT providers - Critical tech service providers to financial institutions (examples include cloud service providers, data centers). 

 

In total, it's estimated that over 22,000 entities across the EU will fall under the reporting requirements outlined by DORA. This extensive reporting network ensures a comprehensive protective umbrella over the financial industry's digital operations.

 

The five key pillars of DORA

DORA is built upon five key pillars that collectively work to enhance the digital operational resilience of financial institutions: 

  1. ICT risk management: Institutions must establish comprehensive ICT risk management frameworks. This involves identifying, assessing, and mitigating ICT risks to prevent disruptions. Financial entities must regularly update and test their risk management policies to adapt to evolving threats.
  2. Incident reporting: Entities are required to develop robust incident reporting mechanisms. Significant ICT-related incidents must be reported to competent authorities promptly. This pillar ensures swift responses to incidents, minimizing potential damages.
  3. Digital operational resilience testing: Regular testing of digital operational resilience is mandated. Financial institutions must conduct vulnerability assessments, penetration testing, and threat-led penetration testing (TLPT) to ensure their systems can withstand and recover from cyber threats and operational disruptions.
  4. Third-party risk management: Given the reliance on third-party ICT service providers, DORA emphasizes monitoring and managing third-party risks. Financial entities need to ensure that their third-party service providers adhere to similar resilience standards and have contingency plans in place.
  5. Information sharing: DORA promotes the sharing of information related to cyber threats and ICT risks among financial institutions. This collaborative approach helps in identifying emerging threats and enhancing collective preparedness.

 

Prepare for DORA application

To ensure readiness for the upcoming regulatory changes, the European Banking Authority (EBA) has initiated a DORA dry run. This proactive measure aims to test and refine the reporting mechanisms set forth by DORA. The dry run allows financial institutions to simulate the implementation of DORA mandates, providing invaluable insights and feedback that will help streamline the actual compliance processes once the regulation comes into force.

Lucanet is actively taking part in the dry run together with the National Competent Authorities that are using our XBRL Portal. Thus, we can ensure that our solutions and customers will be ready for upcoming application of DORA.

 

How to report under DORA?

While it has not been clearly communicated how exactly data is to be reported under DORA, the EBA has already published an extension to their XBRL taxonomy as part of their Reporting framework 3.5. DORA might likely be the first live application of the new XBRL-CSV standard. This taxonomy is currently used in the DORA dry run.

Lucanets XBRL tools are already XBRL certified for XBRL-CSV. Our XBRL Portal is the perfect tool to create DORA-compliant XBRL reports. Let us know if you want to try it out now.

In conclusion, the Digital Operational Resilience Act (DORA) marks a pivotal step in fortifying the EU's financial industry against digital threats. As the deadline approaches, it's crucial for all affected entities to begin preparing for this regulatory shift. Lucanet is here to guide and support your journey towards achieving full compliance and operational resilience.

Get to know our XBRL portal

  • Image of Janis Steinmann

    Janis Steinmann

    Janis Steinmann is Product Manager for Reporting, ESG, and XBRL at AMANA consulting, part of the Lucanet Group. With over a decade of experience, Janis has successfully completed XBRL projects for European banks, insurers, regulators, and listed companies, meeting various reporting requirements. Janis's close collaboration with customers has given him deep insight into XBRL report creation and management. The team takes pride in the AMANA XBRL Engine, one of the first certified XBRL processors, which powers tools like the XBRL Tagger, XBRL Auditor, XBRL Portal, SmartNotes, and other third-party tools. Prior to joining AMANA, Janis worked in the in-house reporting department of a German bank. He is a member of XBRL International's Best Practices Board and holds a Bachelor's and a Master's degree in Business Information Technology and Applied Computer Science from the University of Duisburg-Essen.