In today’s digital society, cybersecurity and cyber resilience have become one of the first priorities at the forefront of lawmaking initiative. On 14 December 2022, the EU adopted the Regulation (EU) 2022/2554 of the European Parliament and of the Council on Digital Operational Resilience for the Financial Sector (commonly referred to as Digital Operational Resilience Act or “DORA”) as part of its Digital Finance Package. The DORA aims at setting up a strong harmonised legal framework to ensure that EU financial institutions are resilient against digital disruptions and cyber threats. Its provisions will become applicable on 17 January 2025.
DORA is a response to the EU’s recognition of increasing ICT-related risks and dependencies in the financial sector and aims at:
- Reinforcing the resilience of financial entities against ICT-related incidents and cyber threats.
- Harmonising digital operational resilience standards across member states building on existing standards and guidelines across the sector, preventing regulatory fragmentation.
- Enhancing the accountability and create direct supervision of third-party ICT service providers critical to the financial sector as a whole.
Scope and coverage
DORA applies to a broad range of entities within the EU financial sector, including banks, insurance companies, crypto-asset service providers, and payment institutions. The regulation also highly impacts third-party ICT service providers that deliver services to these financial entities.
Key requirements and obligations
The DORA is structured around the following 5 pillars:
1. ICT Risk Management
Financial institutions must implement an extensive framework to manage their ICT risks. The DORA provides detailed requirements aiming at ensuring that financial entities can identify, assess, monitor and mitigate all the ICT risks they are exposed to. Key elements of that framework include governance obligations, the mapping all ICT assets and risks linked thereto, a continuous monitoring of all ICT systems and assets, having incident response and recovery plans in place and implementing measures to remain up to date with regard to ICT risks and threats.
2. Incident Reporting and Management
Building on existing standards within the industry for incident reporting, DORA establishes standardised procedures to report incidents to competent authorities. Under DORA, incidents will be categorised and reported in a harmonised way across the EEA and the entire financial sector.
3. Operational Resilience Testing
To better prepare against potential incidents, DORA requires financial institutions to conduct regular ICT operational tests to assess their resilience against ICT disruptions. Financial entities designated as systemically important institutions will also be required to conduct advanced TLPTs, in which simulated cyber-attacks replicate real-world threats to assess system vulnerabilities.
4. Third-Party Risk Management
Recognising the growing importance of third-party service providers and the role they play in the resilience of the financial sector in general, DORA includes stringent third-party risk management requirements that apply throughout the entire relationship between the provider and the financial entities. Key obligations in that context include:
- Due diligence of the third-party provider: financial entities must conduct appropriate due diligence before engaging with ICT providers, with a comprehensive assessment of the providers’ cybersecurity practices, resilience, and compliance with EU regulations.
- Continuous monitoring: during the course of the relationship, third-party providers and the risks they pose must continuously be monitored based on the criticality of the services provided and risks arising from the use of their services. Using a risk-based approach, high-risk providers should be subject to more frequent evaluations to ensure their compliance with security standards.
- Contract management: financial entities must include specific key contractual provisions in their agreement with ICT service providers to ensure their rights are adequately safeguarded from a contractual perspective. This includes amongst others contractual provisions to ensure effective monitoring, compliance with security standards, possibilities to audit the provider, termination rights, obligations with regards to subcontracting by the ICT service providers, and cooperation in case of an incident.
- Exit strategies for ICT service providers supporting critical functions: Financial entities must put in place exit strategies for essential third-party services supporting critical functions, ensuring continuity in case of contract termination or service degradation.
5. Information sharing
Recognising that cyber-threats become more elaborate and complex over the time, the DORA promotes voluntary exchange of cyber threat information among financial entities to help them better prepare and adapt to all threats. To do so, it creates a legal framework under which trusted communities can communicate through structured information-sharing arrangements, which safeguard the potentially sensitive nature of the shared information.
Oversight of critical ICT service providers
One of the novelties of the DORA is the subjection of some ICT service providers to the financial sector (unregulated until now) to the oversight of European Supervision Authorities (ESA). Under the DORA, ICT service providers that are critical for the financial sector as a whole will have to be registered and will be subject to direct oversight by the ESAs themselves. This oversight includes compliance reviews to ensure that critical providers comply with EU cybersecurity and operational resilience expectations.
Implementing Acts and Technical Standards
The DORA mandates the European authorities to adopt implementing acts that specify technical standards for DORA compliance. These implementing acts (some already adopted, others still in draft at this date) detail the technical requirements amongst others for ICT risk management, resilience testing, incident reporting, and third-party monitoring. They provide further guidance on risk assessment methodologies, incident classification process, and reporting templates, ensuring consistency across the EU. Once finalised, these acts will form part of DORA’s regulatory framework.
Date of application
The obligations under the DORA will apply as from 17 January 2025. On this date, financial entities will be required to fully comply with all aspects of DORA, including core requirements like incident reporting and ICT risk management, as well as provisions on third-party oversight and operational resilience testing.
Conclusion
The DORA represents a transformative regulatory approach for managing ICT risks across the EU financial sector, in line with other developments around ICT risks and cyber resilience as a whole within the EU. Through its comprehensive obligations —including ICT risk management, incident reporting, resilience testing, and third-party oversight—DORA aims to establish a standardised defence against cyber threats and operational disruptions. As DORA applies in January 2025, financial institutions must invest in finalising their ICT risk management frameworks, proactive monitoring, and robust incident response mechanisms to meet compliance requirements.
If you have any questions or would like to discuss the potential impact of DORA regulations, feel free to reach out to us at digitalfinance@simontbraun.eu.
***
This newsletter is not a legal advice or a legal opinion. You should seek advice from a legal counsel of your choice before acting upon any of the information in this newsletter.