Digital Operational Resilience Act (DORA) Compliance Report

The Digital Operational Resilience Act (DORA) is a regulation enacted by the European Union to strengthen the digital operational resilience of the financial sector.

Digital Operational Resilience Act (DORA) Goal

The main goal of DORA is to ensure that financial entities and ICT (information and communication technology) third-party service providers can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

Compliance required by

Organizations must comply with the national laws implementing DORA by January 17, 2025.

For more information on the Digital Operational Resilience Act (DORA), visit Regulation - 2022/2554 - EN - DORA - EUR-Lex

For more information on securing web applications, visit HCL AppScan: Advanced Application Security Testing

Sections of the regulation

ID Name
Article 7, Sectiom a In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the proportionality principle as referred to in Article 4.
Article 9, Sectiom 1 For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures.
Article 9, Sectiom 2 Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.
Article 9, Sectiom 3.a In order to achieve the objectives referred to in paragraph 2, financial entities shall use ICT solutions and processes that are appropriate in accordance with Article 4. Those ICT solutions and processes shall ensure the security of the means of transfer of data.
Article 9, Sectiom 3.b In order to achieve the objectives referred to in paragraph 2, financial entities shall use ICT solutions and processes that are appropriate in accordance with Article 4. Those ICT solutions and processes shall minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity.
Article 9, Sectiom 3.c In order to achieve the objectives referred to in paragraph 2, financial entities shall use ICT solutions and processes that are appropriate in accordance with Article 4. Those ICT solutions and processes shall prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data.
Article 9, Sectiom 4.c As part of the ICT risk management framework referred to in Article 6(1), financial entities shall implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof.
Article 9, Sectiom 4.d As part of the ICT risk management framework referred to in Article 6(1), financial entities shall implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes.
Article 9, Sectiom 4.f As part of the ICT risk management framework referred to in Article 6(1), financial entities shall have appropriate and comprehensive documented policies for patches and updates.