DISCLAIMER: This post was last modified on 12 April 2023. Some information in this article may not be updated.

The European Union is implementing a significant new regulation for the financial sector. The new European law, the Digital Operational Resilience Act (DORA), expands the substantial regulatory monitoring of ICT risks in financial services. It aims to reduce the risks related to outsourcing to third-party service providers and enhance the digital resilience of financial institutions within the EU.   

The DORA covers most of the regulated financial institutions in the EU, including, amongst others, banks, insurance companies and intermediaries, investment companies, pension funds, crypto-asset service providers and fund managers. All financial institutions included in the scope of this regulation’s ICT infrastructure will be affected.   

Additionally, DORA will apply to businesses that fall under the “critical ICT third-party service providers” category, covering services like cloud computing, audit, software, data analytics and data centres. 

Objectives of the Digital Operational Resilience Act  

• Identify ICT risks and improve digital resilience  
• Simplify the reporting of ICT incidents  
• Allow supervisors access to incident-related ICT information  
• Ensure the evaluation of preventive and resilience measures  
• Allow for the acceptance of testing results across borders  
• Regulate the monitoring of ICT third-party providers  
• Monitor critical ICT third-party service providers  

The act specifies a set of criteria, templates and guidelines that will influence how financial institutions manage ICT and cyber risks. As a result, all relevant sectors will adopt a single, consistent supervisory approach. 

The five key pillars of DORA 

1. ICT risk management framework. Financial institutions must have an effective, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which is regularly reviewed and audited.   

2. ICT-related incident reporting. Financial institutions must develop an incident management process to identify, control and notify ICT-related incidents. The reporting requirement to the appropriate authorities has strict timelines for incidents that qualify as “major.” Financial institutions must review and update their existing internal incident reporting systems and, where applicable, outsourcing arrangements to comply with these notification requirements.   

3. Digital operational resilience testing. Financial institutions must implement robust and extensive testing plans to ensure digital operational resilience. Any weaknesses, deficiencies or gaps must be recognised and swiftly eliminated or minimised by counteractive measures. Moreover, the requirements for testing digital operational resilience must align with the business’s size, nature and risk profile of the entities.   

4. ICT third-party risk management. To control ICT third-party risks, the DORA establishes principles-based guidelines for monitoring the risks related to outsourced tasks. It mandates that outsourcing agreements adhere to specific minimum contracting requirements. Furthermore, the regulation establishes a framework for overseeing crucial third-party service providers by European Supervisory Authorities (ESAs).   

5. Information sharing. Financial institutions are encouraged to share information and intelligence about cyber threats through agreements that safeguard the potentially sensitive nature of the shared data. 

Applications of the act 

The DORA has full legal force and applies to all EU Member States. Below are the financial entities regulated under the DORA:   

• Credit institutions  
• Payment institutions and electronic money institutions  
• Investment firms  
• Crypto-asset service providers  
• Central securities depositories  
• Central counterparties  
• Trading venues and trade repositories  
• AIFMs and management companies  
• Data reporting service providers  
• Insurance and reinsurance undertakings and intermediaries  
• Institutions for occupational retirement pensions  
• Credit rating agencies  
• Statutory auditors and audit firms  
• Administrators of critical benchmarks  
• Crowdfunding service providers  
• Securitisation repositories  

Timeline  

The EU Council formally adopted DORA on 28 November 2022. This was the final step in the legislative process, and each EU member state will now pass it into law. In addition, the European Supervisory Authorities will develop technical standards that all relevant financial entities must follow. They will have 24 months to implement the regulation. Therefore, the DORA is expected to enter into force in early 2025. 

Next steps 

Understanding the new requirements comes first. Financial institutions must assess and improve their current ICT landscape’s resilience level to comply with the act. Reviewing and updating internal policies, processes, governance and control frameworks is crucial to ensure compliance with DORA requirements.   

Additionally, financial institutions must define, develop and enforce an ICT-related incident management process to identify, track, log, categorise, classify and report ICT-related incidents. A further requirement is to ensure all contracts and outsourcing agreements align with DORA principles. 

How can we help?  

Our experts can help you adapt, improve and comply with new policies in this rapidly changing regulatory climate. With our cutting-edge technology, in-depth regulatory knowledge and understanding of the financial services sector, we assist clients in managing risk, combating financial crime and fraud and meeting evolving customer needs.  

Contact our team to learn more about our services. 

Bolder Group does not provide financial, tax or legal advice and the information contained herein is meant for general information purposes only. We strongly recommend that before acting on any of the information contained herein, readers should consult with their professional advisers. The Bolder Group accepts no liability for any errors or omissions in the information, or the consequences resulting from any action taken by a reader based on the information provided herein.

Bolder Group refers to the global network of independent subsidiaries of Bolder Group Holding BV. Bolder Group Holding BV provides no client services. Such services are provided solely by the independent companies within the Bolder Group which are each legally distinct and separate entities and have no authority (actual, apparent, implied or otherwise) to obligate or bind Bolder Group Holding BV in any manner whatsoever. The operations of the Bolder Group are conducted independently and have no affiliation with third party financial, tax or legal advisory firms or corporations.