FAQ Go to content
Advisory FAQ
Risk & Finance Authorizations and Supervision AML and Financial Crime Prevention Compliance & Governance ECB Office ESG and Sustainability Treasury
Managed Services FAQ
Control Functions AML and Financial Crime Prevention Regulatory Reporting and Monitoring Model Validation Risk Measurement
Tech Solutions FAQ
Quantitative Analytics Financial Data Management Risk Management Contract Lifecycle Management Horizon Scanning and Regulatory Change Management
Industries FAQ
Bank Insurance Asset Management Payment Market Infrastructure
This is FCG FAQ
Client Stories News Career Contact Management & Board Events
FAQ EN
Advisory
Managed Services
Tech Solutions
Industries
This is FCG

Select your region and language

Search

FAQ

FAQ

The Frequently Asked Questions are based on the current published requirements of DORA and will be updated once the final versions are published.

What is DORA?

DORA (Digital Operational Resilience Act) is a single legislative act addressing ICT risk in finance across the European union.

When is DORA due?

DORA was published in Official Journal of the EU in December 2022, and enters into force January 2025.

What are the biggest areas DORA addresses?

The biggest areas are;
1) ICT based risk and internal control framework
2) Incident management and reporting
3) Security testing
4) Resilience or business continuity management
5) Third-party risk management

What companies are effected by DORA?

Most companies within banking and finance are effected by DORA (with the exception of financial infrastructure companies) including banks, insurance companies, FinTechs, crypto asset providers and crowd funding companies. ICT third-party service providers are also included in DORA (to be defined by the EU financial authorities) and have to adhere to DORA.

How vital is the future management of ICT third-party providers?

The management of ICT third-party providers is a fundamental concept to DORA. It includes companies’ ability to have appropriate insight to manage, monitor and measure performance of third-party providers.

What is the difference between DORA and the ICT and security risk management regulations?

There are slight differences between DORA and the ICT regulations currently in force. At large the regulations address the same areas but there are subtle differences and focus areas. The ICT regulations are also broader as they are addressing additional areas such as governance and management of ICT.

Will DORA drive organisational changes?

For companies already organised by the three lines-of-defense model no significant changes are needed. For companies who previously have no regulation forcing a three line-of-defense model, a second-line-of-defense needs to established or outsourced to a professional service provider.

Is DORA the final regulation within information security and outsourcing?

DORA is accompanied with three batches of Regulatory Technical Standards (RTS) to clarify and regulate the banking and finance sector even further. These Technical Standards will be published in July 2023, January 2024 and July 2024 . There are also additional regulations under development within the information security areas, such as the EU Cyber Security Act, the NIS 2 Directive, and additional regulation from the European financial authorities (EBA, EIOPA and ESMA).

Want to find out how FCG can help you?

Consult with a DORA expert

Offices

This is FCG