What It Is

Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, is a transformative EU regulation. It mandates digital operational resilience for the financial sector against ICT disruptions like cyberattacks and third-party failures. Applicable to 20 financial entity types and critical ICT third-party providers (CTPPs) across 27 member states, it uses a risk-based, proportional approach focusing on proactive strategies over reactive measures.

Key Components

Core pillars include ICT risk management frameworks for identifying and mitigating risks; standardized incident reporting with 4-hour notifications; resilience testing via annual scans and triennial threat-led penetration testing (TLPT); and third-party oversight with due diligence and ESAs supervision of CTPPs. Proportionality tailors requirements to entity size and risk profile, with no formal certification but strict compliance enforcement.

Why Organizations Use It

Financial entities comply to meet legal obligations ahead of January 2025 deadline, avoiding fines up to 2% of global turnover. It mitigates systemic cyber risks (74% perceive as top threat), enhances resilience post-incidents like CrowdStrike outage, builds stakeholder trust, and drives cybersecurity innovation amid €10-15B EU spend.

Implementation Overview

Involves gap analyses against RTS/ITS, framework development, testing programs, and vendor monitoring. Targets ~22,000 entities; larger firms leverage existing setups, SMEs face challenges. Ongoing ESAs oversight with Batch 1/2 standards guides phased rollout by 2025.

What It Is

ISO 28000:2022 is an international management system standard specifying requirements for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain security and resilience. It adopts a risk-based approach using the PDCA cycle, aligned with ISO High Level Structure.

Key Components

• Clauses cover context, leadership, planning, support, operation, performance evaluation, and improvement.
• Emphasizes risk assessment, security strategies, incident response, supplier controls, and continual improvement.
• Built on ISO 31000 risk principles and integrates with ISO 22301, ISO 27001.
• Optional third-party certification via accredited bodies per ISO 28003.

Why Organizations Use It

• Mitigates supply chain risks like theft, sabotage, disruptions.
• Meets contractual, regulatory, trade facilitation needs.
• Reduces incidents, insurance costs; enhances market access, reputation.
• Builds stakeholder trust through auditable governance.

Implementation Overview

• Phased: scoping, gap analysis, risk assessment, controls deployment, audits, certification.
• Scalable for all sizes/industries (logistics, manufacturing, pharma).
• Global applicability; involves training, supplier engagement, KPIs monitoring.