Cybersecurity

DORA – regulation on digital operational resilience for the financial sector

Latest Developments

16 January 2023 – the Digital Operational Resilience Act (DORA) came into force.

Summary

The main goal of this legislative act is to harmonise and strengthen the digital operational resilience requirements in the financial services sector against information and communication technology (ICT)-related incidents.

The DORA is part of the Digital Finance Package that the Commission unveiled in September 2020 and which included two legislative initiatives within the cybersecurity domain: the DORA Regulation and a Directive with provisions amending eight other Directives.

How could it be relevant for you?

The Act focuses on financial entities regulated at EU level, such as banks, payment providers, electronic money providers, investment firms, crypto-asset service providers (e.g., data center service providers) and to ICT third-party service providers. Co-legislators have agreed that the inclusion of statutory auditors and audit firms in the scope of the Regulation will be subject to a review within three years.

Its central approach will be to require financial entities to maintain an ICT risk management framework, to report major ICT-related incidents to the competent authorities, to undertake resilience testing as well as sound monitoring of ICT third-party risk.

Next steps:

Rules will apply from 17 January 2025.

*Information is accurate up to 22 April 2024

Explore other chapters in the guide

Data as a key digital asset

Crypto assets

AI as a digital asset

Privacy & Data Protection

Cybersecurity

Digital Identity and Trust Services

Consumer