Along with the NIS2 directive, the Digital Operational Resilience Act (DORA)1 is an essential piece of European legislation aiming to bolster cybersecurity within the EU. Unlike the NIS2 directive, DORA aims specifically at enhancing the operational resilience of the financial sector, while establishing a comprehensive framework to ensure that all financial entities regulated under DORA can withstand, respond to, and recover from disruptions and threats related to information and communications technology (ICT).
Read our Legal Insight on The state of cybersecurity regulation in the Czech Republic: NIS 2 transposition underway, deadline 17 October 2024.
Supplementing other regulatory frameworks mandated by the EU, DORA introduces a unified set of standards for digital operational resilience, which regulated financial entities must integrate into their risk management strategies following its applicable date of 17 January 2025.
|
NIS2 Another important piece of European cybersecurity legislation is the second Network and Information Security Directive (NIS2), which, in contrast to DORA, introduces a harmonised framework for the oversight and supervision of ICT risk management in other critical sectors. |
To whom does the regulation apply?
To establish a high level of cybersecurity within the EU's financial system, European legislators decided to include many financial institutions under DORA. These will be obliged to apply the rules and standards introduced by the regulation to varying degrees. The list of obliged entities under DORA includes:
- credit institutions;
- investment firms;
- insurance and reinsurance undertakings;
- payment and electronic money institutions;
- alternative investment fund managers;
- (UCITS) management companies;
- crypto-asset service providers;
- crowdfunding service providers; and
- ICT third-party service providers.
The entities subject to DORA are recognised as essential to the infrastructure and security of the EU's financial system. As such, they are expected to maintain a high level of digital operational resilience to protect both the financial markets as well as their participants.
Obligations under DORA
Entities subject to DORA are expected to comply with a range of requirements imposed by the regulation, including various technical, organisational and legal measures. The core obligations to be implemented by the respective entities are:
- ICT risk management;
- reporting of cybersecurity incidents to competent authorities, including the establishment of communication channels;
- regular testing of digital operational resilience;
- regular training of employees and managers; and
- management of risks related to third-party service providers, including setting up key contractual provisions with such providers.
In addition to these core obligations, under certain conditions financial institutions may also enter into information-sharing arrangements on cyberthreat information and intelligence. These should further solidify security and cyberthreat awareness across the EU through sharing of experience with cyberattacks and practical solutions.
What's next?
As the date of application of the DORA regulation is approaching, all potentially concerned institutions should assess whether they will be affected by the new rules and to what degree. The regulation will entail substantial obligations, and compliance will demand considerable time and resources. Therefore, we advise allocating sufficient resources and obtaining technical and legal advisory support in a timely manner.
Footnote
1. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.