Digital Operational Resilience Act

The Digital Operational Resilience Act (“DORA”) was adopted on 27 December 2022. It is a European Union regulation designed to increase the cybersecurity requirements for financial institutions (“FSIs”- Financial Services Industries) and their information and communication technology (“ICT”) service providers. DORA is built around the following guiding principles, with an overarching principle of proportionality:

  • ICT risk management
  • ICT-related incident reporting and cybersecurity threat notification
  • Reporting of major operational or security payment related incidents
  • Digital operational resilience testing
  • Information and intelligence sharing in relation to cyber threats and vulnerabilities, and
  • Sound management of ICT third party risk

As of 17 January 2025, DORA will apply to a wide range of FSIs, including banks, insurance companies, intermediaries and investment firms. FSIs will need to implement DORA when they operate in Europe, in addition to the already applicable guidelines of European Supervisory Authorities (“ESAs”).

DORA retains the risk-based approach of previous standards, meaning that FSIs will need to apply policies and contractual requirements in a manner consistent with the actual risks of the ICT Services they use. DORA distinguishes between contractual requirements applicable to all ICT services and those applicable to ICT services supporting critical or important functions. Consistent with this principle, DORA also provides for a simplified regime for smaller FSIs.

With the upcoming 17 January 2025 deadline, the European Commission has adopted a wide range of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), which set out detailed standards on topics such as, without limitation, the implementation of the ICT risk management framework, incident management and classification, penetration testing, and contracting arrangements for services supporting critical or important functions.

Proofpoint is committed to the provision of secure and resilient ICT products and services to its customers. Please visit our Trust site for additional information on how Proofpoint’s products and services are secured and comply with applicable laws and regulations including DORA.

© 2025. All rights reserved. The content on this site is intended for informational purposes only.
Last updated December 05, 2024.