What is DORA?

As of January 17, 2025, European Union (EU) financial entities and, as soon as designated, ICT third-party service providers designated as 'critical' by the European Supervisory Authorities must be ready to comply with the EU Digital Operational Resilience Act (Regulation (EU) 2022/2554 - 'DORA'). DORA standardizes how financial entities report cybersecurity incidents, test their digital operational resilience, and manage ICT third-party risk across the financial services sector and EU member states.

In addition to establishing clear expectations for the role of ICT providers, DORA provides European Supervisory Authorities (ESAs) with direct supervisory powers over designated critical ICT providers. Microsoft is prepared to be designated as a “critical ICT third-party service provider” complying with applicable provisions under DORA, and will help regulated financial institutions meet their own requirements.

DORA aims to provide a harmonized approach to achieving “a high level of digital operational resilience” of the financial services industry (FSI) by ensuring that firms can withstand and adapt to a wide range of threats and disruptions, including cyber-attacks, IT failures, and other operational risks. DORA applies to a wide range of FSI entities, including banks, insurance institutions, stock exchanges, and trading platforms.

Key points

1. DORA's purpose: DORA seeks to enhance the resilience and stability of the FSI sector by ensuring that FSI entities have in place effective measures to manage and mitigate operational risks, including cyber risks. It aims to protect consumers, investors, and the wider FSI system from the potentially severe consequences of major disruptions or failures within the sector.
2. Scope: DORA applies to FSI entities operating in the European Union and to their ICT third-party providers who provide services in the EU, regardless of where the latter operates from. It also applies to Critical Third-Party Providers (CTPPs) designated by the ESAs, entrusted to the daily oversight of one of the three ESAs, that is, either EBA, EIOPA, or ESMA.
3. Key provisions: DORA includes primarily three requirements:
   1. Requirements applicable to FSI entities, including in areas of ICT Risk Management, notification of major ICT incidents, and operational resilience testing such as threat led penetration testing.
   2. Requirements in relation to the contractual arrangements concluded between designated ICT third-party service providers and FSI entities
   3. Rules for the establishment and conduct of the oversight framework for Critical ICT Third-Party Providers (CTPPs) when providing services to FSI entities.
4. Compliance: Microsoft complies with all laws and regulations applicable to it in the provision of its services, subject to requirements as applied to it as a CTPP as well as the DORA requirements Microsoft is expected to fulfill serving FSI entities with normal and also with critical ICT service. FSI entities that have in place contractual arrangements for the use of Microsoft online services to run their critical or important functions shall remain accountable for compliance with all obligations under DORA and the applicable financial services regulatory requirements. Microsoft supports FSI entities to enable their compliance obligations and comply with the requirements applicable to it.
5. Cloud services and providers: DORA is designed to be technology neutral, and the requirements under DORA apply not only to FSI entities, but also to third party providers of ICT services.
6. Contractual commitments: DORA mandates certain contractual requirements between the ICT third-party service providers and FSI entities. Microsoft ensures its contractual provisions are in alignment with the requirement under DORA, as appropriate. Further, Microsoft already aligns to the requirements issued under EBA, ESMA, and EIOPA guidance - and such guidance itself serves as a baseline framework for the requirements under DORA.
7. Oversight: DORA doesn't alleviate FSI entities from oversight of technology providers, including audits if deemed a requirement. Microsoft provides a wealth of assurance information to customers such as third party attestations, performance data, incident information, annual and quarterly reports that can help assess Microsoft as a technology provider. The Compliance Program for Microsoft Cloud (CPMC) is a premium support service that can help address more specific and complicated scenarios members may face. If necessary, Microsoft has substantial experience supporting customers in executing on audits and in providing a level of transparency and assurance for continuous oversight and monitoring of its cloud services.

DORA aims to strengthen the operational resilience of the FSI sector and seeks to bolster risk management so that firms can withstand and adapt to a wide range of threats and disruptions. Microsoft complies with all laws and regulations applicable to it providing its cloud services, subject to requirements as applied to it as a CTPP. FSI entities that have in place contractual arrangements for the use of ICT third-party services shall remain accountable for compliance with all obligations under DORA and the applicable financial services regulatory requirements, to which Microsoft will support as required.

Primary areas for customer consideration under DORA

ICT risk management framework

The Digital Operational Resilience Act (DORA) establishes a comprehensive management mechanism of ICT risks with which financial entities will be required to comply, including the identification, protection and prevention, detection, response, and recovery of such risks in scope. Financial entities must establish an internal governance and control framework for ICT risk management and engage in ongoing monitoring of ICT risks. These ICT risk management and monitoring requirements extend to the use of ICT services provided by third party providers.

The elements of this ICT risk management framework broadly encompass:

• Internal governance and control framework for ICT risk management: Financial entities must have an internal governance and control framework that ensures effective and prudent management of ICT risk.
• ICT risk management framework components and requirements: The ICT risk management framework must include strategies, policies, procedures, ICT protocols, and tools that are necessary to protect and ensure the resilience, continuity and availability of ICT systems, information assets and data.
• ICT systems, protocols, and tools specifications: Financial entities must use and maintain updated ICT systems, protocols and tools that are appropriate, reliable, resilient, and capable of processing the data necessary for their activities and services. They must also implement ICT security policies, procedures, protocols, and tools that aim to ensure the security of networks and data and prevent ICT-related incidents.
• Identification of ICT risk sources and dependencies: Financial entities must identify, classify, and document all ICT supported business functions, information assets and ICT assets, and their roles and dependencies in relation to ICT risk. They must also identify all sources of ICT risk, cyber threats, and ICT vulnerabilities, and assess the potential impact of ICT disruptions.
• Detection of ICT-related incidents and anomalies: Financial entities must have mechanisms to promptly detect anomalous activities, ICT network performance issues and ICT-related incidents, and to identify potential single points of failure. They must also define alert thresholds and criteria to trigger and initiate ICT-related incident response processes.
• Response and recovery from ICT-related incidents: Financial entities must have a comprehensive ICT business continuity policy and associated ICT response and recovery plans that aim to ensure the continuity of critical or important functions, quickly and effectively resolve ICT-related incidents, and minimize damage and losses. They must also test, review, and update their plans and measures regularly, and report to the competent authorities as required.

How Microsoft helps with risk management

Microsoft already provides a broad set of built-in ICT risk management capabilities in our services today, including:

• Microsoft Defender for Cloud
• Microsoft 365 Service Health Dashboard
• Microsoft Secure Score
• Azure Service Health
• Microsoft Purview
• Microsoft Purview Compliance Manager

CPMC also provides support on risk assessments, helping members map their control frameworks and requirements to Microsoft's implementations.

Microsoft provides additional solutions to financial entities to help with risk management more broadly, including:

• Microsoft Entra provides integrated identity, access, and authorization management with enhanced protection capabilities and underpins Microsoft Cloud services. Be sure to check out our detailed DORA guidance for Microsoft Entra.
• Microsoft Defender provides integrated, cross-domain threat detection, protection and response across multicloud, email, collaboration platforms, identity, and endpoints.
• Microsoft 365 Purview offers a comprehensive set of data security and compliance solutions including Data Loss Prevention, Information Protection, Information Barriers, Insider Risk Management, Communications Compliance, eDiscovery, Data Lifecycle, and Records Management.
• Microsoft Intune manages and protects cloud-connected endpoints across Windows, Android, macOS, iOS, and Linux operating systems.
• Microsoft Copilot for Security leverages generative AI-powered assistance to protect and respond to threats at scale and at speed of AI.
• Microsoft Purview and Azure Arc help you govern, protect, and manage the data estate across on-premises, Azure, and multicloud environments. Also, it further extends data governance seamlessly to Microsoft 365 SaaS.
• Azure Backup, Azure Site Recovery, and Azure Business Continuity Center provide specific solutions for business continuity and recovery over deployed Azure resources. Microsoft 365 Backup is the backup for unstructured data.

Key principles for a sound management of ICT third-party risk

Financial entities are expected to manage ICT third-party risk as part of their ICT risk management framework, adopt a strategy and a policy on the use of ICT services supporting critical or important functions, and maintain a register of information on all contractual arrangements with ICT third-party service providers.

• Preliminary assessment before entering into contracts: Financial entities should assess the risks of contracting with key ICT third-party service providers.
• Key contractual provisions: Financial entities should ensure that the contractual arrangements include, among other things, a description of the functions and services, the locations of data processing and storage, management and supervision of key subcontractors that underpin the provision of critical services, the data protection and security measures, the service level descriptions and performance targets, the termination rights and exit strategies, and the access, inspection, and audit rights of the financial entity and the competent authorities.

Microsoft, being an ICT third-party service provider to the sector, supports customers in addressing these requirements.

How Microsoft helps with third-party risk management

Microsoft provides substantial contractual commitments that align with the guidance from the ESAs and consistent with the provisions under DORA, including Article 30. Your contractual agreement with us, which may include our Enterprise Agreements, the Microsoft Products and Services Data Protection Addendum (DPA), applicable sections of our Product Terms and, for regulated financial entities, our Financial Services Amendment, covers key the elements required under DORA. Adjustments have been made to help customers meet DORA's requirements. Our DORA mapping document, available upon request through your Microsoft contact, clarifies how our contractual commitments align with DORA. We'll continue to work with customers to address their needs to ensure ongoing compliance.

ICT third-party risk management under DORA extends beyond Microsoft and also covers other third-parties from the perspective of the financial entity. There are a few solutions we offer that help to address third-party risk more broadly including:

• Microsoft Defender for Cloud Apps delivers comprehensive visibility, control, and assessment capabilities for third-party apps and services, mitigating risks associated with external ICT providers. The cloud app discovery can discover third-party apps in use (shadow IT) and provides risk assessment reports.
• Microsoft Purview helps with unified data governance beyond Microsoft cloud solutions. You can also govern, protect, and manage your data estate in third-party clouds.
• Microsoft Purview Compliance Manager assists in third-party risk assessments and vendor compliance management against 300+ standards, guidelines and regulations, offering insights and actions to identify gaps and mitigate risks for Microsoft cloud as well as for hybrid- and multicloud environments. It also features assessment templates for other cloud vendors.

Microsoft also makes checklists available on Service Trust Portal for financial service industry customers looking for regional and country specific guidance.

ICT - Related incident management, classification, and reporting

A range of requirements are mandated for EU financial entities on ICT incident management, classification, and reporting, including the following:

• ICT-related incident management process: Financial entities must have a process to detect, manage, and notify ICT-related incidents and record them according to their priority and severity.
• Classification of ICT-related incidents and cyber threats: Financial entities must classify ICT-related incidents and cyber threats based on criteria such as the number of clients affected, the duration, the geographical spread, the data losses, the criticality of the services and the economic impact.
• Reporting of major ICT-related incidents and voluntary notification of significant cyber threats: Financial entities must report major ICT-related incidents to the relevant competent authority using standard forms and templates and inform their clients about the incident and the mitigation measures. Financial entities may also notify significant cyber threats to the relevant competent authority on a voluntary basis.
• Harmonization of reporting content and templates: The ESAs, through the Joint Committee, and in consultation with ENISA and the ECB, shall develop common draft regulatory and implementing technical standards to specify the content, the time limits, and the format of the reports and notifications for ICT-related incidents and cyber threats.
• Centralization of reporting of major ICT-related incidents: The ESAs, through the Joint Committee, and in consultation with the ECB and ENISA, shall prepare a joint report assessing the feasibility of further centralizing incident reporting through the establishment of a single EU Hub for major ICT-related incident reporting by financial entities.

Microsoft can help in establishing a comprehensive ICT risk management framework to identify, protect, detect, respond, and recover from ICT-related disruptions:

• Microsoft Sentinel is a cloud-native SIEM system that enables real-time analysis, detection, and response to security threats, facilitating compliance with incident reporting requirements.
• Microsoft Defender XDR helps in prioritizing, managing and responding to incidents.
• Microsoft Purview Insider Risk Management provides an end-to-end platform to cover insider risks with policies, triggers, and alerts on risky behavior by users.

For Microsoft's Online Services you can monitor health and set up notifications if disruptions directly within the service:

• Microsoft 365 Service Health Dashboard: You can view the health of your Microsoft services, including Office on the web, Microsoft Teams, Exchange Online, and Microsoft Dynamics 365 on the Service Health page in the Microsoft 365 admin center.
• Azure Service Health: Azure offers a suite of experiences to keep you informed about the health of your cloud resources. This information includes current and upcoming issues such as service-impacting events, planned maintenance, and other changes that may affect your availability.

Digital operational resilience testing

DORA introduces digital operational tests that should be conducted on critical ICT systems and applications on an annual to triennial basis through threat-led penetration testing (TLPT). This new testing approach bolsters the testing capabilities of financial entities—fostering timely recovery and business continuity. Microsoft already enables customers to do so through our penetration testing program. Learn more about the Microsoft Cloud Penetration Testing Rules of Engagement and our Bug Bounty programs. Microsoft will further work through and support testing requirements to meet the requirements under this testing regime as required under DORA, consistent with principles of ensuring the safety, integrity, security, and operational resilience of the Microsoft Cloud.

How Microsoft helps with operational resilience testing

Microsoft routinely conducts internal and third-party penetration testing to identify potential vulnerabilities in the systems that provide our online services. Third-party penetration test reports for applicable Microsoft Online Services are available for download on Service Trust Portal.

In addition to vulnerability testing, Microsoft tests the resilience of its Online Services on at least an annual basis. Microsoft provides Business Continuity and Disaster Recovery Plan Validation Reports on Service Trust Portal that describe the validation and maintenance of BCDR plans for selected online services.

Microsoft's commitment to enable compliance under DORA

Microsoft is preparing to meet the requirements under DORA, as applicable to it, and the key services it provides to financial entities that use its cloud services for critical or important functions. Microsoft has for over a decade invested significantly into helping financial institutions meet their regulatory obligations when using Microsoft cloud services - from the commercial contracts we make available consistent with ESAs guidelines on outsourcing, to transparency and assurance of our cloud services through the Service Trust Portal and other resources, to the myriad of built-in security features in our cloud services. Coupled with the breadth of capabilities we offer to help customers manage risk and oversee use of our cloud services on a continuous basis, the elements of DORA are a natural step forward to maintain operational resilience and use Microsoft cloud services with confidence. We're also working with other regulators in jurisdictions such as the UK that are implementing similar measures as DORA and are preparing to meet those requirements as well.

Strengthening operational resilience is a broad topic that extends beyond simply ensuring DORA compliance, or addressing vendor- and concentration risks, and requires a strategy and vision that links risk management with a view around how to deploy technology and optimize processes with resilience in mind. We believe cloud technology and innovations such as AI have an important role to play in this as it's key to help to strengthen protections against unexpected outages, increase overall reliability of services and operations and strengthen cybersecurity. As a next step, consider reviewing Microsoft's Digital Operational Resilience Act (DORA) E-Book which describes six steps you can take to build operational resilience.