On January 17, 2025, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA”) becomes applicable in the EU.
DORA intends to strengthen the IT security and operational resiliency of financial entities and to ensure that the financial sector in the EU is able to stay resilient in the event of severe operational disruption. DORA applies to financial entities engaging in activities in the EU. Traditional financial entities, such as banks, investment firms, insurers, and credit institutions, and non-traditional entities, like crypto-asset service providers and crowdfunding platforms, are all within scope.
Financial entities under DORA will be required to comply with new requirements in the areas of (1) risk management, (2) third-party risk management, (3) incident management and reporting, and (4) resilience testing. Key obligations include:
- Create and maintain a register of ICT service providers and, on an annual basis, report relevant information from the register to financial authorities.
- Comprehensive incident reporting obligations requiring initial notification in 4 hours after the incident is classified as major and a maximum of 24 hours after becoming aware. Follow-up notifications will be required, at least, in 72 hours and one month. Entities under scope will be required, without undue delay, to notify their clients where a major incident occurs and has a financial impact on their interests. For significant cyber threats, entities under scope should, where applicable, inform their clients that are potentially affected of any appropriate protection measures which the latter may consider taking.
- Maintain a sound, comprehensive and well-documented ICT risk management framework. The financial entities’ management bodies should define, approve, oversee and take responsibility for the implementation of the ICT risk management framework. In addition, appropriate audits must be conducted with respect to the ICT risk management framework.
- Implement post ICT-related incident reviews after a major ICT-related incident disrupts core activities.
- Establish and maintain a sound and comprehensive digital operational resilience testing program.
- Clearly allocate, in writing, the rights and obligations of the financial entity when engaging with ICT service providers, including mandatory DORA contractual provisions.
- Adopt, and regularly review, a strategy on ICT third-party risk.
In addition to financial entities, ICT service providers providing services to financial entities will also have a level of exposure to DORA. This level of exposure will vary in accordance with how critical the ICT service provider is in the sector. All ICT service providers will be subject to indirect obligations resulting from the requirements that their customers (i.e., in-scope financial entities) will be subject to under DORA (e.g., mandatory contractual provisions). In addition, ICT service providers designated as “critical” will be subject to direct obligations and specific oversight mechanisms under DORA.
Read the full text of DORA.