Does Digital Operational Resilience Act (DORA) require Risk Assessment?

Yes. Digital Operational Resilience Act (DORA) addresses Risk Assessment through 2 provisions.

Digital Operational Resilience Act (DORA) — Risk Assessment

This regulation imposes 8 specific requirements for Risk Assessment across 2 provisions:

ICT risk management framework — Comprehensive framework for identifying, assessing, and mitigating ICT risks
Governance — Management body must approve and oversee the ICT risk management framework
Business continuity — Establish ICT business continuity and disaster recovery plans
Cyber risk management — Address cybersecurity risks as part of the ICT risk framework
Contractual requirements — Key contractual provisions for ICT third-party service agreements
Concentration risk — Assess and manage concentration risk from third-party ICT dependencies
Critical provider oversight — Designated critical third-party providers (CTPPs) subject to ESA oversight
Exit strategies — Maintain exit strategies for critical ICT third-party services

Requirement	Details
ICT risk management framework	Comprehensive framework for identifying, assessing, and mitigating ICT risks
Governance	Management body must approve and oversee the ICT risk management framework
Business continuity	Establish ICT business continuity and disaster recovery plans
Cyber risk management	Address cybersecurity risks as part of the ICT risk framework

Requirement

Details

ICT risk management framework

Comprehensive framework for identifying, assessing, and mitigating ICT risks

Governance

Management body must approve and oversee the ICT risk management framework

Business continuity

Establish ICT business continuity and disaster recovery plans

Cyber risk management

Address cybersecurity risks as part of the ICT risk framework

Violation	Fine
Non-compliance	Determined by national competent authorities per member state law

Violation

Fine

Non-compliance

Determined by national competent authorities per member state law

Requirement	Details
Contractual requirements	Key contractual provisions for ICT third-party service agreements
Concentration risk	Assess and manage concentration risk from third-party ICT dependencies
Critical provider oversight	Designated critical third-party providers (CTPPs) subject to ESA oversight
Exit strategies	Maintain exit strategies for critical ICT third-party services

Requirement

Details

Contractual requirements

Key contractual provisions for ICT third-party service agreements

Concentration risk

Assess and manage concentration risk from third-party ICT dependencies

Critical provider oversight

Designated critical third-party providers (CTPPs) subject to ESA oversight

Exit strategies

Maintain exit strategies for critical ICT third-party services

Violation	Fine
CTPP non-compliance	ESAs may impose periodic penalty payments on critical third-party providers

Violation

Fine

CTPP non-compliance

ESAs may impose periodic penalty payments on critical third-party providers