Financial entities rely heavily on the application of digital technology in their daily operations. Increased cyber-attacks have put financial entities such as banks, insurance companies and investment firms at particular risk. The EU Council therefore adopted the Digital operational Resilience Act (DORA) on 28 November 2022. to ensure that the financial sector in the EU can maintain its resilience to severe disruption.
DORA entered into force on January 16, 2023, and will apply from January 17, 2025.
Goal:
DORA creates a regulatory framework for digital operational resilience, which requires all companies (affected by the obligation) to ensure that they are resilient to and able to respond to and recover from all types of ICT-related distortions and threats (Information and Communication Technologies).
The same requirements apply to all EU member states, with the main objective being to prevent and mitigate cyber threats.
- Strengthen the operational resilience of financial entities such as banks, insurance companies and investment firms and ensure that the financial sector in Europe is resilient in the event of serious operational disruption.
- Alignment of operational resilience rules for the financial sector applicable to 20 different types of financial entities and third-party ICT service providers.
- Increasing transparency on ICT risks and third-party ICT risks.
- Reducing the risk of serious operational disturbances in the financial sector.
Who is the obligor:
- Banks
- Insurance companies
- Investment firms
What DORA includes:
- ICT risk management
- Risk management of ICT third parties
- Digital operational resilience testing
- ICT Incidents
- Supervision of critical ICT third-party service providers
Three European Supervisory Authorities (European Banking Agency (EBA), European Insurance and Pension Supervisory Authority (EIOPA) and European Securities and Markets Agency (ESMA)) are preparing a set of policy products to enable the application of DORA.
At national level, national competent authorities will monitor compliance and implement regulations as appropriate.
Since it is a legal obligation, all companies that will be covered will have a legal obligation to comply with the Act. Penalties for non-compliance with DORA can be serious, including fines as a percentage of the company’s total annual revenue. Regulators will also be able to order an audit or, in extreme cases, suspend the company’s operations.
DORA preparations are underway in Croatia. In August, the proposal was for e-consultations and will be ready by 17 January 2025 when it is due to be implemented.
DORA and NIS2
Although DORA and NIS2 are two different regulations, they are linked because the European Council has aligned the text of the NIS2 directive with sectoral legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the Resilience of Critical Entities Directive (CER), to ensure legal clarity and coherence between NIS2 and these acts.
NIS2 will set a baseline for cybersecurity risk management measures and reporting obligations in all sectors covered by the directive, while DORA will focus on the financial sector in line with NIS2.
