DORA — Digital Operational Resilience Act
EU Regulation 2022/2554 on digital operational resilience of the financial and insurance sector. ICT risk management, incident reporting, third-party risk, testing.
What is DORA and who is required?
DORA (Digital Operational Resilience Act) is EU Regulation 2022/2554 harmonising digital operational resilience requirements for the European financial sector. Applicable from 17 January 2025, it covers 5 pillars: (1) ICT risk management framework; (2) ICT incident management and reporting to authorities (IVASS for Italian insurance); (3) digital operational resilience testing including TLPTs; (4) third-party ICT risk management; (5) information sharing among entities on cyber threats. Insurers, MGAs and structured brokers are in scope as \"financial entities\". NewPicass 14.Net, as an ICT third-party service provider, supports the regulated customer by providing native controls, evidence, certifications and actively collaborates in incident reporting and TLPT processes.
DORA's 5 operational chapters
ICT Risk Management
ICT risk governance
Critical asset identification, classification, controls, encryption, asset register, vulnerability management. NewPicass maintains internal asset register, classification policy, 30-day patch management for critical.
Incident Reporting
ICT incident classification and reporting
\"Major\" incident definition (art. 18 criteria), 4h initial / 72h intermediate / 1-month final notification. NewPicass notifies customer within 30 min from discovery, provides technical logs and RCA for regulatory submission.
Operational Resilience Testing
Periodic resilience testing + TLPT
Mandatory annual security testing (vulnerability assessment, scenario-based, red team) + triennial TLPT for larger entities. NewPicass conducts annual pen-tests with NDA-shareable report.
Third-Party ICT Risk
Critical ICT vendor management
Pre-contract due diligence, DORA-compliant standard contract (subcontracting, audit right, exit, data location), continuous monitoring, exit strategy. NewPicass provides a DORA-aligned contract template.
Information Sharing
Threat-information sharing
Voluntary participation in threat-intelligence sharing mechanisms among financial entities. NewPicass participates in the Italian Finance CERT for its Italian regulated customers.
What NewPicass 14.Net does vs what remains yours
Covered by the platform
- Immutable audit trail with 10-year retention
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Two active-active data centers in EU
- RPO ≤ 15 min, RTO ≤ 1 hour
- Quarterly tested BCP + annual DR test
- Customer incident notification within 30 min
- ISO 27001:2023 certified + SOC 2 Type II
- Annual penetration test
- DORA-aligned contract template
Regulated customer responsibility
- Internal ICT risk management framework
- Decision on incident \"major\" classification
- Incident report submission to regulator (IVASS)
- Triennial TLPT exercise (if in scope)
- Pre-contract vendor due diligence
- Corporate ICT policy
- Employee cyber-awareness training
- Defining own exit strategy
- Information sharing participation
Where this framework lives in the platform
Frequently asked questions on DORA
Does DORA apply to Italian insurance companies?
Yes. EU Regulation 2022/2554 applies to all "financial entities" explicitly including insurance and reinsurance undertakings (art. 2 §1 g/h), insurance and reinsurance intermediaries above an organisational threshold (art. 2 §1 m). In Italy: all IVASS-supervised insurers, structured brokers and MGAs. Applicable from 17 January 2025.
Does DORA also apply to IT providers like NewPicass 14.Net?
Indirectly, yes. NewPicass 14.Net is not a "financial entity" but is an "ICT third-party service provider" for regulated customers. The regulated customer is responsible for vendor due diligence (art. 28-30); we are responsible for providing the required evidence (certifications, SLAs, incident notification, exit strategy).
What does "ICT incident reporting" mean in DORA?
DORA art. 17-23 requires financial entities to classify, manage and report "major" ICT incidents to competent authorities (IVASS in Italy) within strict timing (initial 4h, intermediate 72h, final 1 month). NewPicass 14.Net notifies the customer within 30 minutes from incident discovery, providing technical logs, root cause, mitigation, to enable the customer to meet their regulatory deadlines.
What are TLPTs (Threat-Led Penetration Tests)?
DORA art. 26-27 require larger financial entities (categorised by the regulator) to conduct TLPTs — threat-intelligence-led penetration tests by certified providers — at least every 3 years. For our customers in TLPT scope, NewPicass 14.Net participates in the test perimeter providing controlled access to test infrastructure and supporting the remediation plan.
Do you have a tested Business Continuity Plan?
Yes. Two active-active data centers with automatic failover (RPO ≤ 15 min, RTO ≤ 1 hour) tested quarterly with tabletop exercises + annual live switch exercise (night-time, with post-test sign-off). Test reports available under NDA in the Trust Center.
Can I terminate the contract quickly in case of issues?
Yes. In line with DORA art. 28 §7 and §8 on "contracts with critical ICT third-party providers", our standard contract includes: exit-right clause with reasonable notice even before natural expiry in case of documented serious breach, documented operational exit strategy (standard-format data export, migration support), customer or regulator audit right. Operational terms are in the contractual framework.
Audit your DORA compliance with us
45 minutes with a compliance engineer. We walk through the platform's coverage on this framework and identify the gaps you still need to close on your side.