### Understanding the Digital Operational Resilience Act (DORA) and Its Importance for the Financial Sector

The **Digital Operational Resilience Act**, commonly known by the acronym **DORA**, is a new regulation that will come into effect on January 17, 2025, aimed at establishing a coherent and robust compliance framework for cybersecurity in the banking, financial, and insurance sectors. This provision is not limited to traditional institutions but also extends to Payment Institutions and Digital Currency Enterprises, emphasizing the importance of operational security in an increasingly digital age.

### What is Digital Operational Resilience?

DORA defines digital operational resilience as “the ability of the financial entity to build, ensure, and review its operational integrity and reliability” (art. 3, par.1). But what does this mean in concrete terms?

Digital operational resilience implies that institutions must not only be able to prevent and mitigate risks related to cyberattacks and other cybersecurity vulnerabilities but also ensure that, in the event of an incident, they can recover and return to effective operations quickly. This requires careful planning and the implementation of standardized and documented procedures.

### A Harmonized Regulatory Framework

A crucial aspect of DORA is its attempt to create a harmonized regulatory framework that extends across the 27 member countries of the European Union. The aim is to strengthen the European single market for banking and financial service providers by establishing common standards that can promote greater competition and transparency.

Traditionally, companies have had the freedom to choose how to manage their cybersecurity, relying on various solutions such as the **ISO/IEC 27001** certification or custom-developed systems. DORA, however, introduces detailed rules that require all financial entities to follow common procedures and draft compliance documentation uniformly.

### From Individual Procedures to Collective Rules

One of the main differences from previous frameworks is the shift from a cybersecurity control system left to the individual responsibility of companies to one in which the European legislator provides strict guidelines on what must be documented and how the cybersecurity management system should be structured.

This change implies that all companies will need to not only have policies in place but also document them in a coherent and systematic way. Essentially, DORA requires a greater commitment and transparency regarding operational and information security.

### A Regulatory, Not Technical System

It is important to note that DORA should not be understood as a mere catalog of technical rules regarding cybersecurity. Rather, it is a regulatory system that establishes obligations related to the creation of corporate policies. This means that operators will need to focus on how to document, update, and continuously improve their security practices, rather than merely implementing technical solutions.

### Creating a Culture of Resilience

Another objective of DORA is to promote a culture of operational resilience within organizations. The aim is to involve not only cybersecurity technicians but also decision-makers and company administrators, so they understand the importance of operational resilience as an integral part of the business strategy.

Establishing a corporate culture oriented toward resilience means investing human and technological resources to ensure that, in the event of an attack or cybersecurity incident, the organization can respond effectively and minimize damage.

### Conclusion

In a continuously evolving digital environment, financial institutions must face increasingly complex challenges. DORA represents a legislative response to these challenges, promoting a common regulatory framework and supporting the establishment of operational resilience that protects organizations.