The Digital Operational Resilience Act (DORA), published in the Official Journal of the European Union, has come into force on 16 January 2023 and it applies starting with the 17th.
In mid-December the European Union (EU) enacted new legislation aiming at harmonizing, and tightening, IT security rules in the financial sector: Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (Digital Operational Resilience Act, or DORA).
Taking the form of a regulation, DORA creates a harmonised regulatory framework strengthening the information and communication technology (ICT) security of financial entities. The objective of the legislation is to achieve a high common level of digital operational resilience across all EU member states.
DORA aims to prevent and mitigate cyber threats and ensure that firms can withstand, respond to and recover from all types of ICT-related disruptions and threats. It forms part of the European Commission’s digital finance package, adopted on 24 September 2020, which also included the proposals for the regulations on markets in crypto-assets (MiCA) and the pilot regime for market infrastructures based on distributed ledger technology.
DORA clarifies that ‘Financial Entities’ may share information with other Financial Entities with the aim of protecting themselves against ICT security risks, provided they notify the authorities of the corresponding arrangements and comply with privacy and competition laws. This appears to be similar in some respects to IT security-related information-sharing arrangements adopted in the US, according to the National Law Review.
Credit institutions;
Payment institutions, electronic money institutions, and account information service providers;
Investment firms, managers of alternative investment funds, and management companies of undertakings for collective investment in transferable securities;
Crypto-asset service providers authorised under the MiCA Regulation and issuers of asset-referenced tokens;
Central securities depositories, central counterparties, trading venues, trade repositories, and securitization repositories;
Data reporting service providers within the meaning of Regulation (EU) 600/2014;
Insurance and reinsurance undertakings, insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries, and institutions for occupational retirement provision;
Credit rating agencies;
Administrators of critical benchmarks designated by the EU Commission pursuant to Regulation (EU) 2016/1011;
Crowdfunding service providers.
DORA lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. In particular, it imposes requirements relating to: ICT risk management; ICT-related incident management, classification, and reporting; digital operational resilience testing; information and intelligence sharing in relation to cyber threats and vulnerabilities; and measures for the management of ICT third-party risk, including requirements in relation to contractual arrangements.
Certain third-party ICT service providers that are designated by the European Supervisory Authorities as ‘critical’ will be subject to a newly established oversight framework, according to The European Banking Authority, the European Securities and Markets Authority, and the European Insurance and Occupational Pensions Authority. This will reportedly bring these firms within the regulatory perimeter for the first time and subject them to far-reaching supervisory powers, Dillon Eustace experts explain.
The ESAs will have broad powers to request information, conduct investigations and inspections, issue recommendations, and, in the case of non-compliance, impose financial penalties on critical ICT third-party service providers.
Looking forward, companies that fall within the scope of DORA are encouraged to start preparing for its application by identifying any gaps in their ICT governance and processes. Firms should also give consideration to which of their providers are likely to be considered critical and review their testing and recovery protocols against the standards set out in the new regulation.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now