16 January 2023 – the Digital Operational Resilience Act (DORA) came into force.
The main goal of this legislative act is to harmonise and strengthen the digital operational resilience requirements in the financial services sector against information and communication technology (ICT)-related incidents.
The DORA is part of the Digital Finance Package that the Commission unveiled in September 2020 and which included two legislative initiatives within the cybersecurity domain: the DORA Regulation and a Directive with provisions amending eight other Directives.
The Act focuses on financial entities regulated at EU level, such as banks, payment providers, electronic money providers, investment firms, crypto-asset service providers (e.g., data center service providers) and to ICT third-party service providers. Co-legislators have agreed that the inclusion of statutory auditors and audit firms in the scope of the Regulation will be subject to a review within three years.
Its central approach will be to require financial entities to maintain an ICT risk management framework, to report major ICT-related incidents to the competent authorities, to undertake resilience testing as well as sound monitoring of ICT third-party risk.
Rules will apply from 17 January 2025.
*Information is accurate up to 22 April 2024