The Digital Operational Resilience Act, or DORA, is a European Union (EU) regulation that creates a comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. DORA establishes a unified framework to address gaps, overlaps, and conflicts in regulations, reducing the compliance burden and enhancing the resilience of the EU financial system.
DORA became applicable on January 17, 2025.
Prior to DORA, EU regulations mainly focused on capital for operational risks, with inconsistent ICT and security guidelines across countries. DORA aims to improve ICT risk management in the financial services sector and harmonize regulations across EU member states.
DORA is supplemented by a number of binding Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that provide harmonized standards and practical guidelines on effective implementation of the regulatory requirements.
DORA applies to a broad range of financial entities such as banks, credit and payment institutions, investment firms, trading venues and central securities depositories and nontraditional entities, including crypto-asset service providers and crowdfunding platforms. Exemptions exist for managers of alternative investment funds who qualify for an exemption under Article 3(2) of the AIFMD, and small, non-complex institutions that meet certain thresholds based on size, risk profile, and operational complexity.
One unique and impactful aspect of DORA that is important to note is that it applies not only to financial entities but also to the critical ICT providers that service the financial sector such as cloud service providers and data centers.
The enforcement of DORA is the remit of the European Central Bank (ECB) and designated regulators in each EU member state, known as "national competent authorities" or NCAs. The ECB and national competent authorities can request that financial entities take specific risk management and security measures and remediate vulnerabilities. They also have enforcement powers to impose administrative and criminal penalties on entities that fail to comply with supervisory expectations. Each member state is empowered to exercise discretion in how its national competent authority imposes penalties.
ICT providers deemed "critical" under DORA will be directly supervised by lead overseers from the European Supervisory Authorities (ESAs). Like national competent authorities, lead overseers can request that specific security preventive and curative measures be taken to address vulnerabilities and penalize noncompliant ICT providers. DORA allows lead overseers to levy fines on ICT providers amounting to 1% of the provider's average daily worldwide turnover in the previous business year. Providers can be fined every day for up to six months until they achieve compliance with the lead overseer’s expectations.
DORA establishes technical requirements for financial entities and ICT providers across four domains:
- ICT risk management and governance
- Incident response and reporting
- Digital operational resilience testing
- Third-party risk management
A fifth domain covers information sharing, which is encouraged but not compulsory unlike the other four domains.
Financial entities in scope for DORA are expected to take an active role in managing ICT third-party risk. When outsourcing critical and important functions, financial entities are expected to negotiate specific contractual arrangements regarding exit strategies, audits and performance targets for data accessibility, integrity and security, among other things. Entities are not permitted to contract with ICT providers who cannot meet these requirements. The ECB and national competent authorities are empowered to suspend or terminate contracts that do not comply. The European Commission is exploring the possibility of drafting standardized contractual clauses that entities and ICT providers can use to help ensure that their agreements comply with DORA.
Financial entities also need to map their third-party ICT dependencies and are required to help ensure their critical and important functions are not unduly concentrated with a single provider or small group of providers.
Critical ICT third-party service providers will be subject to direct oversight from relevant ESAs. The European Commission is still developing the criteria for determining which providers are critical. Those that meet the standards will have one of the ESAs assigned as a lead overseer. In addition to enforcing DORA requirements on critical providers, lead overseers are empowered to forbid providers from contracting with financial firms or other ICT providers that do not comply with DORA requirements.
DORA makes an entity's management body responsible for ICT management. Board members, executive leaders and other senior managers are expected to define appropriate risk management strategies, actively assist in executing them and stay current on their knowledge of the ICT risk landscape. Leaders can also be held personally accountable for an entity's failure to comply.
Covered entities are expected to develop comprehensive ICT risk management frameworks. Entities must map their ICT systems, identify and classify critical assets and functions and document dependencies between assets, systems, processes and providers. Entities must conduct continuous risk assessments on their ICT systems, document and classify cyberthreats and document their steps to mitigate identified risks.
As part of the risk assessment process, entities must conduct business impact analyses to assess how specific scenarios and severe disruptions might affect the business. Entities are expected to use the results of these analyses to set levels of risk tolerance and inform the design of their ICT infrastructure. Entities will also be required to implement suitable cybersecurity protection measures, such as policies for identity and access management and patch management, along with technical controls such as extended detection and response systems, security information and event management (SIEM) software, security orchestration, automation and response (SOAR) tools.
Entities also need to establish business continuity and disaster recovery plans for various cyber risk scenarios, such as ICT service failures, natural disasters and cyberattacks. These plans must include data backup and recovery measures, system restoration processes and plans for communicating with affected clients, partners and the authorities.
Covered entities must establish systems for monitoring, managing, logging, classifying and reporting ICT-related incidents. Depending on the severity of the incident, entities may need to make reports to both regulators and affected clients and partners. Entities will be required to file three distinct types of report for critical incidents: an initial report notifying authorities, an intermediate report on progress toward resolving the incident and a final report analyzing the root causes of the incident.
The rules on how incidents should be classified, which incidents must be reported, and timelines for reporting are forthcoming. ESAs are also exploring ways to streamline reporting by establishing a central hub and common report templates.
Entities are required to test their ICT systems regularly to evaluate the strength of their protections and identify vulnerabilities. The results of these tests, and plans for addressing any weaknesses they find, need to be reported to and validated by the relevant competent authorities.
Entities must carry out tests, such as vulnerability assessments and scenario-based testing, once a year. Financial entities judged to play a critical role in the financial system will also need to undergo threat-led penetration testing (TLPT) every three years. The entity's critical ICT providers will be required to participate in these penetration tests as well. On 23 January 2025 the Governing Council of the ECB approved the updated Threat Intelligence-based Ethical Red Teaming (TIBER)-EU framework for threat intelligence-based ethical red-teaming to fully align them with the DORA regulatory technical standards on threat-led penetration testing in view of DORA’s entry into force on 17 January 2025. The updated TIBER-EU framework and guidance documents are available on the ECB’s website.
Financial entities are required to establish processes for learning from both internal and external ICT-related incidents. Toward that end, DORA encourages entities to participate in voluntary threat intelligence sharing arrangements. Any information shared in this context must still be protected under the relevant guidelines—for instance, personally identifiable information is still subject to General Data Protection Regulation (GDPR) considerations.
IBM Cloud is committed to supporting our clients to strengthen their digital operational resilience in the face of disruptions, and to help prepare them to meet their DORA obligations. With our long history and deep expertise working with some of the world's most well-known financial services organizations on their journey to modernization, IBM is committed to supporting our customers drive growth while reducing risk and adapting to the evolving regulatory landscape, including compliance with DORA.
As a Cloud service provider (CSP), DORA impacts IBM Cloud in two ways:
- Indirectly, where both IBM and our financial entity (FE) clients are required to take actions such as revising policies and procedures and adapting tooling to manage the security, the stability and the resilience of ICT systems, as well as the content and overall handling of contractual agreements, both between clients and IBM, and between IBM and our suppliers.
- Directly, in the event IBM and IBM Cloud might be designated as a critical ICT third-party service provider (CTPP), requiring oversight, according to DORA, where IBM Cloud provides ICT services to FE clients.
To date, IBM has not been officially designated as a critical ICT provider by the EU authorities. However, IBM Cloud is proactively preparing to address potential direct requirements, in the event that IBM is designated as a critical ICT third-party service provider (CTPP) by the competent authorities.
IBM Cloud supports clients to inform their risk-based decision making. Our documentation provides detailed information for each cloud service, to highlight built-in service resilience measures and help customers design to cope with potential unplanned disruption. We include detailed compliance documentation as evidence of robust capabilities. Also, IBM Cloud Security and Compliance Center Workload Protection automates compliance checks for IBM Cloud Framework for Financial Services, DORA, PCI and many other industry related or best practice standards – for you IBM Cloud resources as well as those in a multi-cloud environment.
IBM Cloud offers a robust platform that enables customers to design a resilient implementation that best suits their needs. Our multi-zone regions offer a choice of geographic locations and highly available global and cross-zone services, such as Identity and Access Management, IBM Cloud Databases, Container Services (Kubernetes and Red Hat OpenShift), various storage services and Virtual Private Cloud to meet application resilience and compliance requirements for the most demanding workloads. In addition, cross-region disaster recovery can be built using reference architectures and best-practice guidance, to mitigate a range of scenarios.
Stability is important, so IBM Cloud ensures that customers have the resiliency capabilities they need to avoid unplanned outages, from everything-as-code and deployable architectures, implemented through IBM Cloud Schematics, to highly available network architecture and state-of-the-art IBM Cloud Monitoring. The auto scaling features of many services, including Virtual Private Cloud, IBM Kubernetes Service, Red Hat OpenShift on IBM Cloud and IBM Cloud Databases ensures that workloads have enough capacity to meet peaks, with the ability to easily load-balance across zones or even regions. Meanwhile, DevSecOps practices, implemented with Continuous Delivery toolchains, enhances automated release management and secure-by-design practices.
A foundational assumption underpinning operational resilience regulation is that incidents and unplanned outages happen despite everyone’s best efforts – so how we deal with them by reducing occurrences and their impact is paramount. We regularly conduct BCDR testing and ensure our processes support client impact tolerance targets and outcomes feed back into employee training awareness and continuous improvement. When incidents do occur, we share timely incident notifications to impacted clients, and we conduct root-cause analysis and share findings as appropriate. Many IBM Cloud services automatically back up customer data to cross-regional Object Storage buckets to aid recovery to a second region in the event of a disaster, in line with our shared responsibility model.
IBM Cloud offers the following range of services that will help you meet specific DORA requirements and accelerate your compliance journey.
|
1. ICT risk management |
|---|
Cloud Pak for Security
Integrate existing security tools to gain deeper insights into threats and risks, orchestrate actions and automate responses.
IBM Cloud Security and Compliance Center - Data Security Broker - Manager
A security solution in the Security and Compliance Center suite providing centralized encryption policies and auditing of data across different data sources.
IBM Cloud Security and Compliance Center - Workload Protection
In architectures that are focused on container and microservices, you can use IBM Cloud® Security and Compliance Center Workload Protection to find and prioritize software vulnerabilities, detect and respond to threats and manage configurations, permissions and compliance from source to run.
IBM Key Protect for IBM Cloud
The IBM® Key Protect for IBM Cloud® service helps you provision and store encrypted keys for apps across IBM Cloud services, so you can see and manage data encryption and the entire key lifecycle from one central location.
IBM QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle. The portfolio is embedded with enterprise-grade AI and automation to dramatically increase analyst productivity, helping resource-strained security teams work more effectively across core technologies. With a common user interface, shared insights and connected workflows, it offers integrated products for: Endpoint security (EDR, XDR, MDR), SIEM, SOAR.
IBM X-Force
X-Force can help you build and manage an integrated security program to protect your organization from global threats. With a deep understanding of how threat actors think, strategize and strike, our team knows how to prevent, detect, respond to and recover from incidents so that you can focus on business priorities. X-Force offensive and defensive services are underpinned by threat research, intelligence and remediation services.
IBM Cloud Hardware Security Module
IBM Cloud Hardware Security Module (HSM) 7.0 from Gemalto protects cryptographic infrastructure by more securely managing, processing and storing cryptographic keys inside a tamper-resistant hardware device. It helps you solve complex security, compliance, data sovereignty and control challenges migrating and running workloads on the cloud.
Confidential Computing
Protect your data at rest, in transit and in use with the broadest selection of data security and encryption technologies from IBM Z, IBM LinuxONE and Intel® Xeon® on IBM Cloud.
IBM Security Guardium
IBM Security® Guardium® is a family of data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
IBM Cloud Storage Services
Our cloud storage services offer a scalable, security-rich and cost-effective home for your data while supporting traditional and cloud-native workloads. Provision and deploy services such as access object, block and file storage. Adjust capacity and optimize performance as requirements change. Pay only for the cloud storage you need.
IBM Cloud Backup
IBM Cloud® Backup is a full-featured, agent-based backup and recovery system managed through a web interface. Back up data between IBM Cloud servers in one or more IBM Cloud global data centers.
IBM Cloud Database services
IBM Cloud® Database-as-a-Service (DBaaS) services free developers and IT from complex and time-consuming tasks including deployment of infrastructure and database software, infrastructure operations, database software updates and backup. IBM Cloud® Database SMEs deliver and maintain ready-to-use, highly available, database instances freeing developer and IT staff time to focus on other priorities.
IBM Cloud Container Registry
Store and distribute container images in a fully managed private registry. Push private images to conveniently run them in the IBM Cloud® Kubernetes Service and other runtime environments. Images are checked for security issues so you can make informed decisions about your deployments.
DevSecOps Application Lifecycle Management
The DevSecOps Application Lifecycle Management Deployable Architecture creates a set of DevOps toolchains and pipelines. DevSecOps uses continuous delivery (CD) (Git Repos and Issue Tracking, Tekton Pipelines, IBM Cloud® DevOps Insights and Code Risk Analyzer), Secrets Manager, IBM® Key Protect, IBM Cloud® Object Storage, IBM Cloud® Container Registry and Vulnerability Advisor.
IBM Cloud observability solutions
Observability provides deep visibility into modern distributed applications for faster, automated problem identification and resolution.
|
2. Incident Reporting |
|---|
IBM X-Force
X-Force can help you build and manage an integrated security program to protect your organization from global threats. With a deep understanding of how threat actors think, strategize and strike, our team knows how to prevent, detect, respond to and recover from incidents so that you can focus on business priorities. X-Force offensive and defensive services are underpinned by threat research, intelligence and remediation services.
IBM QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle. The portfolio is embedded with enterprise-grade AI and automation to dramatically increase analyst productivity, helping resource-strained security teams work more effectively across core technologies. With a common user interface, shared insights and connected workflows, it offers integrated products for: Endpoint security (EDR, XDR, MDR), SIEM, SOAR.
IBM Security Guardium
IBM Security® Guardium® is a family of data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
IBM Cloud observability solutions
Observability provides deep visibility into modern distributed applications for faster, automated problem identification and resolution.
|
3. Operational Resiliency Testing |
|---|
IBM Cloud Security and Compliance Center - Workload Protection
In architectures that are focused on container and microservices, you can use IBM Cloud® Security and Compliance Center Workload Protection to find and prioritize software vulnerabilities, detect and respond to threats and manage configurations, permissions and compliance from source to run.
IBM X-Force
X-Force can help you build and manage an integrated security program to protect your organization from global threats. With a deep understanding of how threat actors think, strategize and strike, our team knows how to prevent, detect, respond to and recover from incidents so that you can focus on business priorities. X-Force offensive and defensive services are underpinned by threat research, intelligence and remediation services.
IBM QRadar Suite
IBM Security® QRadar® Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle. The portfolio is embedded with enterprise-grade AI and automation to dramatically increase analyst productivity, helping resource-strained security teams work more effectively across core technologies. With a common user interface, shared insights and connected workflows, it offers integrated products for: Endpoint security (EDR, XDR, MDR), SIEM, SOAR.
IBM Security Guardium
IBM Security® Guardium® is a family of data security software in the IBM Security portfolio that uncovers vulnerabilities and protects sensitive on-premises and cloud data.
DevSecOps Application Lifecycle Management
The DevSecOps Application Lifecycle Management Deployable Architecture creates a set of DevOps toolchains and pipelines. DevSecOps uses continuous delivery (CD) (Git Repos and Issue Tracking, Tekton Pipelines, IBM Cloud® DevOps Insights and Code Risk Analyzer), Secrets Manager, IBM® Key Protect, IBM Cloud® Object Storage, IBM Cloud® Container Registry and Vulnerability Advisor.
|
4. Third Party Risk Management |
|---|
IBM Cloud Security and Compliance Center - Workload Protection
In architectures that are focused on container and microservices, you can use IBM Cloud® Security and Compliance Center Workload Protection to find and prioritize software vulnerabilities, detect and respond to threats and manage configurations, permissions and compliance from source to run.
|
5. Information and intelligence sharing |
|---|
IBM X-Force
X-Force can help you build and manage an integrated security program to protect your organization from global threats. With a deep understanding of how threat actors think, strategize and strike, our team knows how to prevent, detect, respond to and recover from incidents so that you can focus on business priorities. X-Force offensive and defensive services are underpinned by threat research, intelligence and remediation services.
Cloud Pak for Security
Integrate existing security tools to gain deeper insights into threats and risks, orchestrate actions and automate responses.
IBM has made available to its financial services clients, a number of resources to enable their preparedness for compliance with the DORA regulation.
These resources can be leveraged as financial entities begin to define their risk exposures, identify third party dependencies and develop an approach for digital operational resilience.