What is the EU Digital Operational Resilience Act (DORA)?
On 16 January 2023, the EU Digital Operational Resilience Act (DORA) entered into force. It will apply from 17 January 2025 and the requirements will become mandatory. The DORA consolidates and updates rules on ICT risk management by filling in gaps, reducing regulatory complexity and remedy inconsistencies from previous Directives and Regulations, in a single legislative act.
In the DORA, digital operational resilience is defined as “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions” (Regulation (EU) 2022/2554 Article 3).
The DORA aims to achieve a high common level of digital operational resilience across all EU member states in order to keep the financial sector to function at all times. Requirements for the financial entities include the following topics (Article 1):
-
information and communication technology (ICT) risk management;
-
reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;
-
reporting of major operational or security payment-related incidents to the competent authorities by financial entities;
-
digital operational resilience testing;
-
information and intelligence sharing in relation to cyber threats and vulnerabilities;
-
measures for the sound management of ICT third-party risk.
In short, financial entities need to cover the gaps between their ICT risk management frameworks and the DORA requirements by 2025. Additionally, below topics are included and the management of ICT third-party risk is highlighted;
-
the contractual arrangements concluded between ICT third-party service providers and financial entities;
-
the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities.
Therefore, ICT companies providing services to financial entities also need to prepare for the DORA compliance together with the financial entities.
In case of a breach of the regulation, penalties may be imposed by the national authority ranging from administrative to criminal penalties (Article 50).
High level requirements are described in the publication, and it is expected that the European Supervisory Authorities (ESAs) such as European Banking Authority (EBA) will develop guidelines (technical standards) further.
If you need any assistance with DORA, cybersecurity, want training for your employees, or have any questions regarding cybersecurity within your company, don’t hesitate to contact us.
References
- Digital finance: Council adopts Digital Operational Resilience Act - Consilium (europa.eu)
- Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011, https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554&from=EN