The Digital Operational
Resilience Act (DORA) is a new regulation that aims to strengthen the
information and communication technology (ICT) security of financial
entities in the European Union (EU). It was published in the Official
Journal of the EU on 27 December 2022 and will enter into force on 16
January 2023.
It will apply to a range of financial entities, including
credit institutions, investment firms, central securities depositories,
central counter parties, trading venues, benchmark administrators, fund
management companies, insurance and reinsurance undertakings, insurance
intermediaries, payment institutions, electronic money institutions,
crypto-asset service providers, issuers of asset-referenced tokens, and
crowdfunding service providers. There are limited exclusions for smaller
firms, and DORA will also apply to third-party ICT service providers
such as cloud platforms and data analytics providers.
The main
objective of DORA is to prevent and mitigate cyber threats and ensure
that financial entities can withstand, respond to, and recover from all
types of ICT-related disruptions and threats. It aims to achieve a high
level of digital operational resilience across all EU member states. To
this end, DORA imposes uniform requirements concerning the security of
network and information systems supporting the business processes of
financial entities. This includes requirements for ICT risk management,
ICT-related incident management, classification and reporting, digital
operational resilience testing, information and intelligence sharing in
relation to cyber threats and vulnerabilities, and measures for the
management of ICT third-party risk. Firms will be required to conduct
concentration risk assessments of all outsourcing arrangements relating
to the delivery of critical or important functions, and the competent
authority will have the power to order a firm to suspend or terminate a
contract with a critical ICT third-party service provider as a measure
of last resort.
Certain third-party ICT service providers that
are designated as "critical" by the European Supervisory Authorities
(ESAs) will be subject to a new oversight framework. This will bring
these firms within the regulatory perimeter for the first time and
subject them to supervisory powers. The ESAs will assess whether each
critical ICT third-party service provider has comprehensive, sound, and
effective rules, procedures, mechanisms, and arrangements in place to
manage cyber risk.
Empty space, drag to resize
Empty space, drag to resize
