**Impactful Image: “Building the Digital Future: Operational Resilience as an Imperative.”**

—

**The DORA Regulation: Towards Greater Security in the Digital Financial Sector**

In today’s digital era, where technological transformation drives much of the economic dynamics, cybersecurity emerges as an indispensable priority. In this context, the DORA Regulation (Digital Operational Resilience Act) stands as a significant regulatory response to the increasing threats within the financial sector. Published on December 27, 2022, this regulation from the European Union marks an important step forward in building a safer and more resilient environment for financial entities.

**Origins and Objectives of the DORA Regulation**

DORA was created with the mission of ensuring that financial institutions are adequately equipped to address and mitigate risks related to digital operations. With full implementation set to begin on January 17, 2025, the Regulation establishes a binding regulatory framework that compels financial entities to adopt rigorous standards in cyber risk management, operational continuity, and incident reporting. The measures embedded in the Regulation aim not only to enhance the protection of data and services but also to foster trust and stability in the financial market, which increasingly faces sophisticated and evolving cyberattacks.

**DORA in a Broader European Regulatory Context**

It is essential to note that DORA does not operate in a regulatory vacuum; rather, it interacts and integrates with other European regulations concerning cybersecurity. In particular, the connection to the NIS2 Directive (Network and Information Systems Directive), which expanded security requirements for essential service operators, must be considered. While NIS2 set minimum criteria for cybersecurity, DORA raises the bar further for financial entities by imposing specific and more stringent requirements.

**Who Falls Under the Scope of DORA?**

Unlike previous regulations, DORA significantly broadens the scope of interested parties, including not only banks and investment firms but also emerging actors such as crowdfunding platforms and cryptocurrency operators. Moreover, the Regulation also extends to third-party providers of critical IT services, such as Cloud and Data Analytics providers, which must comply with the security requirements established by DORA.

**Key Provisions of the DORA Regulation**

DORA imposes a series of essential requirements on financial entities to ensure their operational resilience. Among the main measures required are the need to:

1. **Define Cybersecurity Governance:** It is imperative that financial entities establish a structured governance framework to manage cyber risks, approve appropriate mitigation measures, and ensure their implementation.

2. **Manage ICT Risks:** Each entity must adopt a risk management framework that supports digital resilience, ensuring operational continuity and the ability to address crisis situations.

3. **Incident Classification:** The regulation requires the classification of cyber incidents, including those involving third-party ICT providers, to identify their impact and manage them effectively.

4. **Incident Reporting:** Each entity must develop a robust monitoring and reporting system to ensure that incidents are promptly communicated to the relevant authorities and stakeholders.

5. **Testing the Resilience of Infrastructures:** DORA mandates that institutions regularly conduct security tests to assess the resilience of their IT infrastructures against emerging threats.

*Moreover, the Regulation requires the management of risks associated with ICT service providers, imposing the identification of services and processes involving third parties and the establishment of contracts that guarantee adequate standards.*