European Union: Digital Operational Resilience For The Financial Sector

Given the ever-increasing risks of cyber-attacks, the European Union (the 'EU') has been strengthening the information and communication technology (the 'ICT') security of financial entities, such as banks, insurance companies and investment firms. The Malta Financial Services Authority (the 'MFSA') has published an updated circular in relation to the Digital Operational Resilience Act (the 'DORA'), which was enacted to ensure that the financial sector in Europe is able to stay digitally resilient.

Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) was recently published on the Official Journal of the EU and shall come into effect on the 16th of January 2023, to become fully applicable by the 17th of January 2025 following a two-year implementation period. As provided in Recital (12), this Regulation "aims to consolidate and upgrade ICT risk requirements as part of the operational risk requirements that have, up to this point, been addressed separately in various Union legal acts. While those acts covered the main categories of financial risk (e.g. credit risk, market risk, counterparty credit risk and liquidity risk, market conduct risk), they did not comprehensively tackle, at the time of their adoption, all components of operational resilience."

Essentially, DORA introduces provisions, subject to different layers of proportionality, on financial entities in the areas of ICT risk management, ICT-related incident management, classification and reporting, digital operational resilience testing, managing of ICT third-party risk (including an Oversight Framework of critical ICT-third party providers) and voluntary information-sharing arrangements, with the aim of assisting firms in ensuring that they can withstand, respond to and recover from all types of ICT-related disruptions and threats. The requirements imposed by DORA are homogenous across all EU member states, with the ultimate aim of preventing and mitigating cyber threats, and are essentially applicable to critical third parties which provide ICT-related services to financial entities.¹

This Regulation shall also be supplemented by a series of Regulatory/Implementing Technical Standards, Guidelines, Reports, Recommendations and Calls for Advice, all having different delivery deadlines as detailed in Annex 1.

Footnote

1 'Digital Operational Resilience Act (DORA)' (www.digital-operational-resilience-act.com/) accessed 4 January 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.