标准简介
《数字运营韧性法案》(DORA,法规(EU)2022/2554)是欧盟于 2025 年 1 月 17 日全面适用的金融行业数字运营韧性法规。该法规为欧盟金融实体建立了统一的 ICT(信息通信技术)风险管理要求,涵盖银行、保险公司、投资公司、支付机构、加密资产服务提供商等 21 类金融实体,以及为其提供服务的关键第三方 ICT 服务提供商。
DORA 建立了五大核心支柱:ICT 风险管理框架、ICT 相关事件报告(重大事件须在 4 小时内初报、72 小时内中间报告、1 个月内最终报告)、数字运营韧性测试(包括每三年一次的威胁导向渗透测试 TLPT)、ICT 第三方风险管理(包括关键 ICT 第三方服务提供商的直接监管框架),以及信息共享安排。欧洲银行管理局(EBA)、欧洲证券和市场管理局(ESMA)和欧洲保险和职业养老金管理局(EIOPA)负责制定监管技术标准。不合规可能导致最高 1000 万欧元或年营业额 2% 的罚款,关键 ICT 提供商可被处以最高 500 万欧元或 1% 全球营业额的日罚款。
Five Pillars of Resilience
Establishes a harmonized framework across five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing.
Third-Party Oversight
Introduces a direct oversight framework for critical ICT third-party service providers (including cloud providers) by European Supervisory Authorities — a first in EU financial regulation.
Incident Reporting
Mandates classification and reporting of major ICT-related incidents to competent authorities, with initial notification within 4 hours and detailed reports within 72 hours.
list_alt Five Key Pillars
- ICT Risk Management — comprehensive framework and governance
- ICT Incident Reporting — classification, notification, and analysis
- Digital Operational Resilience Testing — threat-led penetration testing (TLPT)
- ICT Third-Party Risk Management — due diligence and exit strategies
- Information Sharing — voluntary threat intelligence exchange
- Oversight of critical third-party ICT providers by ESAs
- Proportionality principle based on entity size and risk profile
- Annual review and board-level accountability
Who Needs to Comply?
All EU-regulated financial entities including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical ICT service providers. Applies to over 22,000 financial entities and ICT providers in the EU.
Key Requirements
ICT Risk Management Framework
Implement a comprehensive ICT risk management framework including identification, protection, detection, response, and recovery capabilities. Board of directors bears ultimate responsibility.
Incident Classification & Reporting
Classify ICT incidents using defined criteria (data loss, duration, geographic spread, etc.). Report major incidents to competent authorities with initial notification, intermediate, and final reports.
Resilience Testing
Conduct regular digital operational resilience testing including vulnerability assessments, network security reviews, and — for significant entities — threat-led penetration testing (TLPT) at least every three years.
Third-Party Risk Management
Maintain a register of all ICT third-party arrangements. Conduct due diligence, include mandatory contract clauses, and establish exit strategies for critical service providers.
Information Sharing
Participate in voluntary arrangements for sharing cyber threat intelligence and vulnerability information with other financial entities and authorities to strengthen collective resilience.
Penalties & Enforcement
Financial entities face fines up to 2% of total annual worldwide turnover or 1% of average daily global turnover. Critical third-party ICT providers face fines up to EUR 5 million (EUR 500,000 for individuals). Member States may impose criminal penalties for severe violations.