T&P Newsletter: Are you ready for DORA?

Oct 18, 2024

What is DORA Regulation. The Digital Operational Resilience Act^[1] (DORA) is the new, holistic regulatory approach to dealing with digital and cyber risk in the financial sector. A cornerstone of the EU Digital Finance Package, DORA was published on 27 December 2022 and entered into force on 16 January 2023. Its application starts from 17 January 2025.

Aim and scope. DORA’s primary focus is on harmonizing regulatory requirements for digital risk management for the financial services industry. It touches upon internal governance structures of financial entities (FEs), reporting procedures of ICT-related incidents to competent authorities, risk management in relation to third-party ICT providers and oversight of critical ICT services providers.

DORA concerns a wide typology of FEs, ranging from credit institutions and investment firms to credit rating agencies and crypto-asset service providers.

Proportionality. Given the variety of DORA’s in-scope FEs, the Regulation explicitly incorporates the principle of proportionality, according to which its implementation must be proportionate to the size, overall risk profile of each FE, and to the nature, scale and complexity of its services, activities and operations.

Extraterritoriality. DORA requirements apply to all FEs active in the EEA, regardless of the jurisdiction in which they are headquartered or incorporated. Similarly, third-party ICT providers located outside the EEA are also covered by DORA reporting and oversight requirements.

Interplay with existing legislation. DORA is not the first EU legal act regarding cybersecurity but builds on existing network and information security legislation, currently covered by the NIS 2 Directive^[2]. DORA constitutes lex specialis for the financial sector, therefore, in any potential conflict between regulatory frameworks, DORA’s requirements should prevail.

Components. The major components of DORA can be broken down into five separate categories as displayed in the diagram below.

^[1] Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011.

^[2] Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148.

dora

Relevant Technical Standards. Given the highly technical and complex nature of the requirements for FEs under DORA, the EU Commission is empowered to adopt Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) in the form of Delegated Regulations, following a proposal from the competent authorities. As of September 2024, the EU Commission has adopted technical standards on:

The criteria for the classification of ICT-related incidents and cyber threats, setting out materiality thresholds and specifying the details of reports of major incidents.
The detailed content of the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.
The ICT risk management tools, methods, processes, and policies and the simplified ICT risk management framework.

Competent authorities have further submitted final drafts of RTS and ITS on issues such as the threat-led penetration testing requirements and the Register of Information of third-party ICT providers, which are awaiting publication by the Commission. In total, competent authorities have published final drafts of 8 RTS and 2 ITS.

What needs to be done before January: From 17 January 2025, all in-scope FEs must be fully DORA-compliant. In practical terms, FEs must take as soon as possible the following steps:

Establish a comprehensive ICT risk management framework, covering the identification, assessment, and mitigation of ICT risks and system vulnerabilities. The framework should define relevant policies, governance structures, incident response plans, and continuity measures.
Prepare for ICT-related incident reporting to competent authorities.
Adopt and prepare for the application of a testing programme, comprised of both regular testing methods, such as vulnerability assessments and gap analyses, and advanced testing based on TLPT, where applicable. In practical terms, this may require cooperation with IT firms, which have the necessary expertise and software.
Create and keep updated a Register of Information regarding third-party ICT providers, and review and revise contractual arrangements with such providers.

The active participation of the management body, compliance function and IT department of FEs is required to ensure a smooth transition to the new regulatory environment and a new corporate culture of operational resilience must be established.

Concluding remarks. DORA marks a pivotal regulatory shift aimed at strengthening the digital resilience of FEs. As the January 2025 deadline approaches, firms must take immediate action to align their ICT risk management, third-party oversight, and incident reporting frameworks with DORA’s requirements. Non-compliance could result in significant financial and reputational risks.

DORA imposes significant organizational and financial burdens on FEs, especially given that malicious actors in cyberspace are often one step ahead of regulatory frameworks and best practices. The ongoing obligations of monitoring, testing, and reporting will impact staff and monetary resources of FEs, especially of smaller ones, as they race to keep up with the evolving threat landscape and the growing complexity of regulatory demands.

Read the greek version

Key Contacts

Nikos Kontizas kotizas