/>iThe European Union’s Digital Operational Resilience Act (DORA) came into effect on January 17, 2025. DORA aims to harmonise rules concerning the provision of information and communication technology (ICT) services to regulated financial institutions and ensure they are capable of maintaining their operations through periods of severe disruption.
Quick Hits
- The EU Digital Operational Resilience Act (DORA) aims to enhance security and resilience for financial institutions across Europe, protecting them from severe operational disruptions, such as cyberattacks or information and communication technology (ICT) incidents.
- DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, credit agencies, crypto-asset service providers, and ICT third-party service providers used within the financial sector.
- The European Supervisory Authorities (ESAs) have the authority to impose fines for noncompliance as of January 17, 2025.
DORA applies to financial entities operating within the EU and their critical third-party technology service providers supporting them, including those outside the EU. Under DORA’s mandate, financial market participants are subject to strict and complex requirements for various aspects of ICT risk management. These obligations range from reporting and incident management to resilience testing and third-party risk management.
Key Measures
Financial entities within the scope of DORA must adopt and comply with obligations, including the following:
- Developing and maintaining a comprehensive ICT risk management framework capable of classifying, monitoring, preventing, or mitigating ICT-related risks, with regular reviews and internal audits.
- Establishing processes for reporting ICT-related or major incidents to the relevant supervisory authorities. National authorities will have to submit registers to ESAs by the end of April 2025.
- Developing and regularly reviewing ICT third-party risk management strategy, including mandatory provisions in contracts with ICT service providers and a registry of information documenting all existing contractual arrangements.
- Enforcing a digital operational resilience testing program that includes a range of assessments and tools.
- Encouraging financial entities to share information and intelligence about known cybersecurity risks.
DORA will apply directly to service providers designated as critical to the sector. It is not anticipated that essential ICT third-party service providers will be designated under DORA before the third quarter of 2025. Nonetheless, any service provider that fulfils the requirements for a critical third-party service provider level 2 may want to evaluate its operational processes in accordance with DORA specifications.
DORA is not directly applicable in the United Kingdom; however, the provisions will apply to UK organisations that have operations or interactions within the EU. In the UK, on January 1, 2025, the Policy Statement 16/24 issued jointly by the Financial Conduct Authority and the Prudential Regulation Authority, “Operational resilience: Critical third parties to the UK financial sector,” took effect, implementing similar resilience requirements for critical third parties operating within the UK.
