標準簡介
數位營運韌性法案(DORA)是一項歐盟法規,旨在加強金融實體的 IT 安全和營運韌性。該法案自 2025 年 1 月 17 日起全面適用,為整個歐盟金融部門的 ICT 風險管理、事件報告、韌性測試和第三方風險管理建立了統一要求。
DORA 代表了歐盟金融監管的典範轉移,直接監管關鍵 ICT 服務供應商並強制執行統一的韌性標準。它涵蓋超過 22,000 家金融實體及其技術供應商,確保金融系統能夠承受、應對和恢復嚴重的營運中斷和網路威脅。
Five Pillars of Resilience
Establishes a harmonized framework across five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party risk management, and information sharing.
Third-Party Oversight
Introduces a direct oversight framework for critical ICT third-party service providers (including cloud providers) by European Supervisory Authorities — a first in EU financial regulation.
Incident Reporting
Mandates classification and reporting of major ICT-related incidents to competent authorities, with initial notification within 4 hours and detailed reports within 72 hours.
list_alt Five Key Pillars
- ICT Risk Management — comprehensive framework and governance
- ICT Incident Reporting — classification, notification, and analysis
- Digital Operational Resilience Testing — threat-led penetration testing (TLPT)
- ICT Third-Party Risk Management — due diligence and exit strategies
- Information Sharing — voluntary threat intelligence exchange
- Oversight of critical third-party ICT providers by ESAs
- Proportionality principle based on entity size and risk profile
- Annual review and board-level accountability
Who Needs to Comply?
All EU-regulated financial entities including banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical ICT service providers. Applies to over 22,000 financial entities and ICT providers in the EU.
Key Requirements
ICT Risk Management Framework
Implement a comprehensive ICT risk management framework including identification, protection, detection, response, and recovery capabilities. Board of directors bears ultimate responsibility.
Incident Classification & Reporting
Classify ICT incidents using defined criteria (data loss, duration, geographic spread, etc.). Report major incidents to competent authorities with initial notification, intermediate, and final reports.
Resilience Testing
Conduct regular digital operational resilience testing including vulnerability assessments, network security reviews, and — for significant entities — threat-led penetration testing (TLPT) at least every three years.
Third-Party Risk Management
Maintain a register of all ICT third-party arrangements. Conduct due diligence, include mandatory contract clauses, and establish exit strategies for critical service providers.
Information Sharing
Participate in voluntary arrangements for sharing cyber threat intelligence and vulnerability information with other financial entities and authorities to strengthen collective resilience.
Penalties & Enforcement
Financial entities face fines up to 2% of total annual worldwide turnover or 1% of average daily global turnover. Critical third-party ICT providers face fines up to EUR 5 million (EUR 500,000 for individuals). Member States may impose criminal penalties for severe violations.