Search Contact

Digital Operational Resilience Act (DORA)

What is DORA? 

Starting from 17 January 2025, the DORA regulation will be enforced across all EU Member States. This framework addresses the risks from digital transformation, interconnected networks, and sophisticated cyberattacks in the financial sector. It is part of the European Commission’s strategy to promote innovation while ensuring financial stability and consumer protection. DORA provides a harmonised framework for digital operational resilience and establishes oversight for critical ICT service providers at the EU level.

Objective of DORA: 

DORA aims to ensure financial entities can withstand, respond to, recover, and learn from significant ICT-related disruptions. It shifts the focus from risk prevention to a proactive approach, predetermining incidents and emphasising preparedness to maintain critical business activities. This approach enhances organisational agility and customer trust. For Euronext, DORA is an opportunity to strengthen operational resilience in IT, cybersecurity, business continuity, and third-party risks.

The five pillars of DORA

ICT risk management:

Establishing comprehensive frameworks for managing ICT risks.

Incident reporting:

Streamlining the reporting of major ICT-related incidents to competent authorities.

Digital operational resilience testing:

Conducting regular testing to ensure preparedness against cyber threats.

ICT third-party risk management:

Supervising and managing risks associated with third-party ICT service providers.

Information sharing:

Facilitating the exchange of information on cyber threats and vulnerabilities among financial entities.

DORA scope & timeline 

DORA applies to a wide range of financial entities, including banks, insurance companies, and investment firms, as well as ICT third-party service providers. The regulation came into force on 16 January 2023, and will be fully applicable from 17 January 2025.

Euronext implementation approach

Euronext has established a robust model to ensure compliance with DORA, leveraging its federal structure and group frameworks for Risk Management, Business Continuity Management (BCM), IT, and Cybersecurity. 

Key actions include:

Dedicated programme:

A comprehensive programme covering all financial entities and intra-group ICT providers to ensure compliance by January 2025.

Strong governance:

Sponsored by senior executives, the programme includes representatives from Risk, BCM, Internal Control, Information Security, IT, Finance and Legal departments. Regular committees and updates at both Group and local levels ensure effective governance.

Alignment with Euronext strategy:

The programme aligns with Euronext’s goal of building stronger resilience and readiness to respond to evolving threats. From 2025, Euronext will integrate DORA principles into its strategy and daily operations, enhancing its ability to mitigate disruptions from cyber threats and other incidents.

By building on its existing strong foundation, Euronext is well-positioned to meet DORA requirements and enhance its digital operational resilience.

DORA FAQ 

DORA aims to develop a European approach that fosters technological development and ensures financial stability and consumer protection across the EU financial sector. The primary subjects of DORA are EU financial entities, and EU and non-EU ICT third-party providers (including Intra-group ICT) that provide services to the EU financial entities. Considering this scope, Euronext is prepared for DORA implementation on several entities (financial entities and Euronext ICT services).

Within each DORA pillar, Euronext has made an in-depth gap analysis of the full regulatory framework and carried out multiple actions, updated policies, procedures and systems, reviewed agreements and  set new T&C  up to ensure full DORA alignment. DORA implementation programme has been set under strong internal governance and with a close discussion and scrutiny from the Euronext College of Regulators.

Euronext has set-up a Group-wide programme leveraging on a strong foundation and adjusting the existing model to ensure DORA implementation across all Euronext entities in scope. This programme is composed of experts and key representatives for key areas to cover the Group and all relevant local businesses and companies within Euronext.

Euronext regulated entities will be applying DORA as of the regulatory timeline of 17 January of 2025. 

To support our customers, Euronext is preparing the relevant documentation to be shared upon request.