What is DORA and what framework does it establish

Digital Operational Resilience Act for the financial sector. Learn about the obligations it imposes on financial institutions and how to prepare.

DORA (Digital Operational Resilience Act) is a groundbreaking EU regulation that came into force on January 16, 2023, and will be fully applicable from January 17, 2025. Its main goal is to strengthen the digital operational resilience of financial sector entities in the face of growing cyber threats. The regulation introduces uniform ICT risk management standards, which also include detecting personal data in IT systems and proper personal data retention.

Scope of DORA

The regulation covers a wide range of financial sector entities: banks, payment institutions, insurance companies, investment funds, cryptocurrency companies, and ICT service providers. Each of these entities must implement personal data detection mechanisms in their systems to ensure compliance with both GDPR and DORA. Automatic detection of sensitive data becomes a key element of security infrastructure.

ICT Risk Management

DORA requires financial institutions to create a comprehensive ICT risk management system. This includes identifying all information assets, including the location of personal data in systems. Tools for automatic personal data detection enable inventory of sensitive information and implementation of appropriate protection mechanisms. Institutions must also define personal data retention policies consistent with the data minimization principle.

Digital Resilience Testing

The regulation introduces the obligation to regularly test ICT systems, including advanced penetration tests (TLPT). These tests should include personal data breach scenarios and verify the effectiveness of detection mechanisms. Organizations must have the ability to quickly identify where personal data is located in systems to assess the scale of an incident.

Incident Reporting and Documentation

DORA imposes the obligation to report serious ICT-related incidents to the relevant supervisory authorities within specified timeframes. In case of personal data breaches, rapid identification of the scope is crucial. Automatic personal data detection tools enable precise determination of what data was breached. Proper documentation of processes, including data retention policies, is essential to demonstrate compliance.

Wizards.io offers tools supporting DORA compliance. **Revelio** is an advanced solution for automatic personal data detection in documents and IT systems. It enables quick identification of where sensitive data is located in the organization. **Detecto** enables continuous monitoring of systems for personal data presence. **Oblivio** supports personal data retention management, automating the data deletion process after specified retention periods.

Implementing DORA is a comprehensive undertaking requiring cooperation between IT, security, legal, and business departments. Having tools for personal data detection and lifecycle management is key. Organizations should start preparations as soon as possible to meet the regulation requirements before the full application deadline.