DORA Regulation – Revolutionizing the Rules for Cybersecurity in the Financial Sector
With the rise of digitization and technological progress, businesses face new security challenges. The financial sector is no exception, where, considering the potential damages and risks of cyber-attacks, it is crucial to ensure a high level of data and information protection. In response to these challenges, the European Union adopted the Digital Operational Resilience Act (DORA)1. This regulation is the most significant part of the EU's efforts to strengthen the digital resilience of the entire financial system, introducing a series of new rules and obligations for financial entities.
What is the DORA Regulation?
DORA, adopted in December 2022, is an EU legal instrument aimed at enhancing the resilience of the financial sector against cyber threats. DORA establishes a harmonized framework for digitization in the financial sector, sets regulations for risk management associated with digital services, and obligations regarding security incidents. The regulation's goal is not only to define rules for addressing cyber-attacks in the European financial sector and moderating their impacts but also for their prevention.
DORA was adopted as a specific regulation for the financial sector in the context of the Network and Information Security (NIS2) directive2, which sets cybersecurity rules across various sectors, such as digital services, transport, or manufacturing. In addition to these regulations, the Resilience of Critical Entities (CER) directive3 was adopted, setting rules to strengthen the resilience of critical entities crucial for national security, the basic life needs of the population, personal health, or the economy.
Who does DORA apply to?
DORA applies to most financial institutions, including:
- Banks
- Payment institutions
- E-money institutions
- Securities traders
- Crypto-asset service providers as per MiCA or ICOs (asset-bound token issuers)
- Crowdfunding platforms
- Investment companies
- Insurers and reinsurers
- External ICT service providers (e.g., cloud service, software, and data centre providers)
It is necessary to emphasise that DORA does not generally exclude micro or small enterprises; however, the size of the enterprise is relevant to determining the specific set of obligations.
What are the new obligations set by DORA?
DORA sets a wide range of obligations that financial institutions must comply. As noted above, these rules may vary depending on the size and type of the entity, but in general, institutions will be required to, for example:
- Implement an ICT operational risk management framework
- Train senior staff members
- Manage and report security incidents
- Regularly test system and service resilience
- Monitor risks associated with ICT service providers
- Failure to meet any of the specified obligations may lead to remedial actions or sanctions that, according to the regulation, must be effective, proportionate, and dissuasive.
By when must the obligations be met?
DORA came into effect in January 2023 and since then obliged entities have 24 months to implement the new rules. The deadline for these entities is January 17, 2025.
Although this period might seem long, we recommend that financial institutions begin preparations immediately to ensure an efficient and smooth implementation process.
The European Supervisory Authorities (EBA, EIOPA, and ESMA)4 have currently initiated a public consultation on the draft Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) related to DORA. The aim of these standards is to ensure a uniform documentation framework in cybersecurity and incident reporting, for instance, criteria for incident classification or templates for information registers.
The public consultation on RTS and ITS drafts will run until September 11, 2023. Feedback can be submitted to the supervisory authorities through their website until this date.
Regulation (EU) 2022/2554 of the European Parliament and the Council of the 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/2011 ↩︎
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1148 (NIS2 Directive) ↩︎
Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC ↩︎
European Banking Authority, European Insurance and Occupational Pensions Authority, and European Securities and Markets Authority ↩︎