Aiming for harmonised digital operational resilience in the EU financial sector
On 27 December 2022, the new EU regulation on digital operational resilience for the financial sector (DORA), was published in the Official Journal of the EU and enters into force on the 16th of January 2023. In-scope entities have until 25 January 2025 to prepare for the start of DORA’s application.
DORA aims to establish a harmonized and streamlined digital operational resilience framework across the EU financial sector. It will also establish a new oversight framework for critical ICT third-party service providers that provide ICT services to financial entities.
DORA will apply to the majority of financial entities, including: credit, payment and e-money institutions, investment firms, crypto-asset service providers, issuers of crypto-assets, insurance and reinsurance undertakings, credit rating agencies, statutory auditors and audit firms and crowdfunding service providers. DORA will also apply to ICT third-party service providers which are designated as "critical" for financial entities.
“DORA will have significant impact on all financial entities and service providers in scope.”
Among other requirements, all financial entities and service providers caught by DORA will be required to:
- implement governance and control frameworks to manage ICT risks effectively within such frameworks;
- carry out enhanced digital operational resilience testing;
- manage ICT third-party risk with ICT management frameworks; and
- report major ICT related incidents to competent authorities.
DORA will have significant impact on all financial entities and service providers in scope. Although there is 24 month implementation period, it is important that those entities falling within the scope of DORA should start preparing for its implementation now.
Firstly, a thorough assessment of the new requirements against current policies, processes and practises implemented with financial entities should be applied to identify potential compliance gaps. ICT services provider with customers in the financial services sector should consider whether or not the classification as a ‘critical’ ICT third-party service provider is likely to apply on their business. If so, it may be prudent to start thinking about the compliance strategy that will need to be planned and implemented in time for the compliance window to be met.
DORA: A harmonized framework to strengthen the digital operational resilience of the EU financial sector
12 January 2023
360° Rund ums Recht Podcast: Dealing with cybercrime – how to prepare for and protect against cyberattacks
29 May 2022
For more information regarding DORA and how it will affect your business, please contact your usual DLA Piper advisor.