On December 14, 2022. The European Parliament and the Council (EU) adopted Regulation 2022/2554 on the Digital Operational Resilience of the Financial Sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 commonly referred to as “DORA” (the Digital Operational Resilience Act, also referred to as the “Regulation”). DORA aims to consolidate and update ICT (Information and Communications Technology) risk requirements as part of operational risk requirements, which were previously contained separately in various EU legal acts. DORA will be applied starting January 17, 2025.
The aim of the Regulation is to raise awareness of ICT risks and demonstrate that both ICT incidents and the lack of adequate digital operational resilience pose a threat to the financial well-being of obligated entities.
What changes does the Regulation introduce?
The Ordinance requires the financial sector to implement specific solutions to enhance their cyber-security – both with respect to an entity’s internal and external environment, and taking into account its overall risk profile and business strategies. The goal of DORA is to combat risks arising from all types of ICT services, which are understood in the Regulation broadly – as including both digital and data services provided continuously via ICT systems to one or more internal or external users (excluding traditional analog telephony services).
What areas does the Regulation regulate?
As stated in Article 1 of DORA, the Regulation establishes the following uniform requirements for the security of networks and information systems supporting the business processes of financial entities:
- requirements applicable to financial entities with respect to:
I. managing risks associated with the use of information and communication technologies;
II. reporting serious ICT-related incidents to the competent authorities and voluntarily informing them of significant cyber threats;
III. reporting to the competent authorities of serious operational incidents or serious security incidents related to payments by the following financial entities: credit institutions, payment institutions (including payment institutions exempted pursuant to Directive (EU) 2015/2366), account information access service providers, electronic money institutions (including electronic money institutions exempted pursuant to Directive 2009/110/EC);
IV. testing of operational digital resilience;
V. exchange of information and analysis in connection with cyber threats and vulnerabilities in this area;
VI. measures for sound risk management by external ICT service providers;
- requirements for contractual arrangements between external ICT service providers and financial entities;
- rules for the establishment and operation of a supervisory framework for key external ICT service providers providing services to financial entities;
- rules for cooperation between competent authorities, and rules for supervision and enforcement by competent authorities on all issues covered by the Regulation.
