The Digital Operational Resilience Act (DORA), enacted by the EU on 16 January 2023, aims to strengthen the financial sector’s ability to manage ICT-related risks, including those highlighted by the COVID-19 pandemic and rising cyber threats. It introduces a standardized framework for operational resilience, ensuring that financial institutions and their critical third-party providers, like Google Cloud, maintain robust risk management, ongoing resilience testing, and transparent incident reporting. DORA places significant emphasis on securing digital infrastructures and minimizing service disruptions which are crucial for market stability and consumer trust. The regulation will officially apply from 17 January 2025, by which time financial institutions must comply with its rigorous standards[1].
Building a Unified Framework for Resilience
Strengthening ICT Risk Management
DORA consolidates a broad range of existing EU regulations[2], establishing a standardised framework for ICT risk management. It mandates financial entities to develop comprehensive ICT risk management systems including regular monitoring, incident reporting, and robust operational resilience testing. These requirements aim to ensure the stability of financial services, even under severe operational disruptions, by incorporating critical cyber threat intelligence and vulnerability monitoring into business continuity plans.
ICT risk management framework in a nutshell[3]:
- Identification of all sources of ICT risk
- Protection of ICT systems
- Detection of anomalous activities
- Response and recovery plans and procedures
- Continuous learning and evolving
- Crisis Communication policies and plans
Service Providers Under Scrutiny
A significant aspect of DORA is its extended oversight of critical ICT providers, including cloud service providers like Google Cloud. This new scrutiny is part of DORA’s third-party risk management rules, ensuring that cloud providers are accountable for maintaining high levels of transparency and resilience. Financial entities are required to assess the risks posed by these third-party services, report on their contracts, and ensure critical functions remain intact, even if disruptions occur. The ESAs (European Supervisory Authorities) will also oversee these providers, ensuring compliance with strict resilience and security standards.
Managing third-party risk in a nutshell:
- ICT third-party risk as an integral part of the ICT risk management framework
- Strategy on ICT third-party risk
- Register of information
- Pre-contracting analyses over ICT services
- Promotion of standard contractual clauses
- Empowerment of supervisory authorities to designate and exercise oversight over critical third-party service providers
Proactive Resilience Measures
DORA emphasizes proactive measures such as resilience testing and threat-led penetration testing[4], particularly for financial institutions and their critical ICT systems. These tests ensure that firms can swiftly recover from disruptions while minimising the risk of significant failures. The regulation also mandates regular testing of systems and operational resilience measures to safeguard continuous service availability. For large institutions, advanced testing like TLPT (Threat-Led Penetration Testing) will be required, to ensure vulnerabilities are promptly addressed.
Digital operational resilience testing in a nutshell:
- A digital operational resilience testing program as an integral part of the ICT risk management framework
- Advanced testing based on TLPT
- Requirements for testers for the carrying out of TLPT
Google Cloud’s Example
Google Cloud is actively preparing for the implementation of DORA[5] by enhancing its cybersecurity, resilience testing, and third-party risk management capabilities to support European financial institutions. Recognising DORA’s potential to streamline incident reporting, strengthen operational resilience, and enable direct regulatory oversight of critical ICT providers, Google Cloud is committed to aligning with these new regulations.
Through initiatives such as the Cloud On Europe’s Terms[6], Google Cloud ensures compliance with EU requirements for data sovereignty, security, and sustainability. Its industry-leading security infrastructure, including tools like the Security Command Center[7], enables customers to manage and monitor incidents independently. Additionally, Google Cloud supports rigorous resilience testing, including penetration and disaster recovery tests, helping financial entities meet DORA’s requirements.
Conclusion
DORA is more than just another regulatory hurdle; it’s a bold directive reshaping the very foundation of operational resilience in Europe’s financial sector. By demanding enhanced cybersecurity, continuous testing, and tighter third-party oversight, DORA pushes financial entities to not just comply but thrive in an era of relentless digital threats. As the 2025 deadline looms, this is a call to arms for the sector: to evolve from reactive risk management to proactive, ironclad resilience. Service providers like Google Cloud are already embracing this challenge, setting the standard with advanced security infrastructures and collaborative transparency with regulators. The question now is not whether financial institutions are ready to comply, but whether they are ready to lead.
Ready to future-proof your financial institution under DORA? Discover how Luxembourg’s financial hub is preparing for the challenges and opportunities ahead. Visit LHoFT for the latest insights, resources, and support to ensure your operational resilience strategies are not only compliant but positioned for leadership in this new era of digital security.
Footnotes:
Featured Images: Midjourney
Images https://sosafe-awareness.com/glossary/dora/
[1] For More Information on the Draft RTS :https://www.eiopa.europa.eu/publications/set-rules-under-dora-ict-and-third-party-risk-management-and-incident-classification_en
[2] McCann FitzGerald LLP (30 June 2023), “Exploring DORA: the EU Digital Operational Resilience Act” http://mccannfitzgerald.com/knowledge/finance/briefing-dora-digital- operational- resilience-act
[3] Onur Ozdemir (12 April 2023) “DORA regulation: all your questions answered – Read about the new regulatory framework for digital risk management” https://kpmg.com/lu/en/blogs/home/posts/2023/04/dora-regulation-all-your-questions-answered.html
[4] “What is Threat Led Penetration Testing and why does DORA require it” https://www.secura.com/services/integrated-approach/dora/what-is-threat-led-penetration-testing
[5] Phil Venables (June 4 2022) “Google Cloud’s preparations to address the Digital Operational Resilience Act” https://cloud.google.com/blog/products/identity-security/what-google-cloud-is-doing-to-prepare-for-dora
[6] https://cloud.google.com/blog/products/identity-security/helping-build-the-digital-future-on-europes-terms
[7] https://cloud.google.com/security/products/security-command-center