The Digital Operational Resilience Act
The Digital Operational Resilience Act (DORA) sets out requirements for the security of network and information systems of organisations working in the financial sector and critical third parties providing information communication technologies (ICT) services – e.g., data analytics services, data centres or cloud computing platforms, but excluding providers of hardware components.
Affected businesses
DORA targets businesses and organisations that operate in the financial sector (including credit institutions, investment firms, payment institutions, trading venues and repositories, insurance intermediaries, and credit rating agencies), as well as critical third parties that offer ICT-related services to financial entities.
Whether an entity falls within the scope of being a ‘critical ICT third party service provider’ will be based on an analysis by the European Supervisory Authorities.
Key impacts
The main objectives of DORA are:
ICT risk management – DORA lays out a set of key principles and requirements on ICT risk management. These requirements revolve around specific functions in ICT risk management (identification, protection and prevention, detection, response and recovery, learning and evolving, and communication). Financial entities are required to set up and maintain resilient ICT systems and tools that minimize the impact of ICT risk; identify, on a continuous basis, all sources of ICT risk; set up protection and prevention measures and promptly detect anomalous activities; and put in place dedicated and comprehensive business continuity policies and disaster and recovery plans as an integral part of the operational business continuity policy.
Reporting of ICT-related incidents – DORA sets out a general requirement for financial entities to establish and implement a management process to monitor and log ICT-related incidents. ICT-related incidents deemed major must be reported to the competent authorities. The reporting should be processed using a common template and following a harmonised procedure. Financial entities should submit initial, intermediate and final reports, and inform their users and clients if the incident has, or may have, an impact on their financial interests.
Operational resilience testing – An organisation’s ICT risk management framework needs to be reviewed at least annually to ensure preparedness and identification of weaknesses, deficiencies or gaps, as well as the prompt implementation of corrective measures.
Information sharing – Financial entities are allowed to set up arrangements to share cyber threat information amongst themselves in order to raise awareness of ICT risk, minimise its spread, and support the defensive capabilities and threat detection techniques of financial entities.
Management of third-party risk – The managing of ICT third-party risk is an integral component of the ICT risk management framework. As part of their risk management framework, financial entities shall adopt and regularly review a strategy on ICT third-party risk, which shall include a policy on ICT services provided by ICT third-party service providers.
Enforcement
DORA itself does not provide for fines or other criminal sanctions for noncompliance.
Key timings
DORA was published in the Official Journal of the European Union on 16 January 2023.
There will be a two-year transition period, and DORA will apply as of 17 January 2025.
Group contacts
This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.