DORA
1 min
The Digital Operational Resilience Act harmonizes ICT risk management across the EU financial sector. It applies to banks, insurers, investment firms, payment providers, crypto-asset service providers, and critical ICT third-party providers. Financial entities must establish ICT risk management frameworks, maintain incident response capabilities, and conduct regular digital resilience testing including threat-led penetration testing. Third-party risk management is a core focus: entities must identify dependencies, assess concentration risk, and ensure contractual arrangements include audit rights and exit strategies. Critical ICT third-party providers (like major cloud platforms) face direct EU oversight through a Lead Overseer framework. DORA addresses concentration risk in the financial sector’s reliance on a small number of technology providers.