DORA IN A NUTSHELL
PAUL C DWYER
The Digital Operational Resilience
Act (DORA) is a new regulation that aims to strengthen the information and
communication technology (ICT) security of financial entities in the European
Union (EU). It was published in the Official Journal of the EU on 27 December
2022 and will enter into force on 16 January 2023. It will apply to a range of
financial entities, including credit institutions, investment firms, central
securities depositories, central counter parties, trading venues, benchmark
administrators, fund management companies, insurance and reinsurance
undertakings, insurance intermediaries, payment institutions, electronic money
institutions, crypto-asset service providers, issuers of asset-referenced
tokens, and crowdfunding service providers. There are limited exclusions for
smaller firms, and DORA will also apply to third-party ICT service providers
such as cloud platforms and data analytics providers.
The main objective of DORA is to prevent and mitigate cyber threats and ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It aims to achieve a high level of digital operational resilience across all EU member states. To this end, DORA imposes uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. This includes requirements for ICT risk management, ICT-related incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures for the management of ICT third-party risk. Firms will be required to conduct concentration risk assessments of all outsourcing arrangements relating to the delivery of critical or important functions, and the competent authority will have the power to order a firm to suspend or terminate a contract with a critical ICT third-party service provider as a measure of last resort.
Certain third-party ICT service providers that are designated as "critical" by the European Supervisory Authorities (ESAs) will be subject to a new oversight framework. This will bring these firms within the regulatory perimeter for the first time and subject them to supervisory powers. The ESAs will assess whether each critical ICT third-party service provider has comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements in place to manage cyber risk.
The main objective of DORA is to prevent and mitigate cyber threats and ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It aims to achieve a high level of digital operational resilience across all EU member states. To this end, DORA imposes uniform requirements concerning the security of network and information systems supporting the business processes of financial entities. This includes requirements for ICT risk management, ICT-related incident management, classification and reporting, digital operational resilience testing, information and intelligence sharing in relation to cyber threats and vulnerabilities, and measures for the management of ICT third-party risk. Firms will be required to conduct concentration risk assessments of all outsourcing arrangements relating to the delivery of critical or important functions, and the competent authority will have the power to order a firm to suspend or terminate a contract with a critical ICT third-party service provider as a measure of last resort.
Certain third-party ICT service providers that are designated as "critical" by the European Supervisory Authorities (ESAs) will be subject to a new oversight framework. This will bring these firms within the regulatory perimeter for the first time and subject them to supervisory powers. The ESAs will assess whether each critical ICT third-party service provider has comprehensive, sound, and effective rules, procedures, mechanisms, and arrangements in place to manage cyber risk.
Empty space, drag to resize
Empty space, drag to resize
Who does DORA apply to:
- credit institutions
- payment institutions
- account information service providers
- electronic money institutions
- investment firms
- crypto-asset service providers
- central securities depositories
- central counterparties
- trading venues
- trade repositories
- managers of alternative investment funds
- management companies
- data reporting service providers
- insurance and reinsurance undertakings
- insurance intermediaries
- reinsurance intermediaries
- institutions for occupational
- retirement provision
- credit rating agencies
- administrators of critical benchmarks
- crowdfunding service providers
- securitisation repositories ·
- ICT third-party service providers
What are the key dates?
They key "DORA Dates and Milestones" are as
follows. The Digital Operational Resilience Act, was published in the Official
Journal of the European Union on December 27, 2022. It will enter into force on
January 16, 2023 and will apply from January 17, 2025.
The ESAs (European Supervisory Authorities) have been tasked with developing technical standards (Level 2 rules) that will be applicable to all financial entities within the scope of DORA. These technical standards are expected to be adopted by the end of 2024. Firms should begin preparing for DORA now in order to ensure compliance when it comes into effect.
The ESAs (European Supervisory Authorities) have been tasked with developing technical standards (Level 2 rules) that will be applicable to all financial entities within the scope of DORA. These technical standards are expected to be adopted by the end of 2024. Firms should begin preparing for DORA now in order to ensure compliance when it comes into effect.
What do the fines look like?
In relation to financial penalties, entities found to be in violation of the Act's requirements may face fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a maximum fine of EUR 1,000,000. The amount of the fine will depend on the severity of the violation and the financial entity's cooperation with authorities.
Financial entities that fail to report major ICT-related incidents or significant cyber threats as required under DORA may also face fines. Third-party ICT service providers designated as "critical" by the European Supervisory Authorities (ESAs) may face fines of up to EUR 5,000,000 or, in the case of an individual, a maximum fine of EUR 500,000 for non-compliance with the Act's requirements. The ESAs will have the authority to impose these fines.
Financial entities that fail to report major ICT-related incidents or significant cyber threats as required under DORA may also face fines. Third-party ICT service providers designated as "critical" by the European Supervisory Authorities (ESAs) may face fines of up to EUR 5,000,000 or, in the case of an individual, a maximum fine of EUR 500,000 for non-compliance with the Act's requirements. The ESAs will have the authority to impose these fines.
What should I do?
Get DORA Certified Training – www.DORAtraining.eu
Paul C Dwyer is the ICTTF President, recognised as one of the world’s foremost experts on cyber security, risk and privacy.
Connect to Paul here.
Connect to Paul here.
HEAD OFFICE
-
ICTTF Ltd
Unit 8, Kinsealy Business Park,
Kinsealy Lane,
Malahide,
Co Dublin
K36 CX92 -
info@icttf.org
support@icttf.org -
+353 (0)1 905 3263
Copyright © - All Rights Reserved - ICTTF Ltd. - Registered Company in Ireland: 567446 - VAT No IE3395678DH