Skip to main content
|

Add a bookmark to get started

Bookmarks info

Aiming for harmonised digital operational resilience in the EU financial sector

DORA aims to establish a harmonized and streamlined digital operational resilience framework across the EU financial sector. It will also establish a new oversight framework for critical ICT third-party service providers that provide ICT services to financial entities.

On 27 December 2022, the new EU regulation on digital operational resilience for the financial sector (DORA), was published in the Official Journal of the EU and enters into force on the 16th of January 2023. In-scope entities have until 25 January 2025 to prepare for the start of DORA’s application. 

DORA aims to establish a harmonized and streamlined digital operational resilience framework across the EU financial sector. It will also establish a new oversight framework for critical ICT third-party service providers that provide ICT services to financial entities. 

DORA will apply to the majority of financial entities, including: credit, payment and e-money institutions, investment firms, crypto-asset service providers, issuers of crypto-assets, insurance and reinsurance undertakings, credit rating agencies, statutory auditors and audit firms and crowdfunding service providers. DORA will also apply to ICT third-party service providers which are designated as "critical" for financial entities.

“DORA will have significant impact on all financial entities and service providers in scope.”

Among other requirements, all financial entities and service providers caught by DORA will be required to:

  • implement governance and control frameworks to manage ICT risks effectively within such frameworks;
  • carry out enhanced digital operational resilience testing;
  • manage ICT third-party risk with ICT management frameworks; and
  • report major ICT related incidents to competent authorities.

DORA will have significant impact on all financial entities and service providers in scope. Although there is 24 month implementation period, it is important that those entities falling within the scope of DORA should start preparing for its implementation now.

Firstly, a thorough assessment of the new requirements against current policies, processes and practises implemented with financial entities should be applied to identify potential compliance gaps. ICT services provider with customers in the financial services sector should consider whether or not the classification as a ‘critical’ ICT third-party service provider is likely to apply on their business. If so, it may be prudent to start thinking about the compliance strategy that will need to be planned and implemented in time for the compliance window to be met.

From our blogs

 For more information regarding DORA and how it will affect your business, please contact your usual DLA Piper advisor.

Related capabilities

Financial ServicesFintechTechnologyBlockchain and Digital Assets
SitemapPrivacy policyYour privacy choicesLegal noticesCookie policyMake a payment

DLA Piper is global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA piper's structure, please refer the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2024 DLA Piper US