On 28 November 2022, the Council of the European Union ("EU") (the "Council") adopted the Digital Operational Resilience Act ("DORA"), the final step in the legislative approval process, having been adopted by the European Parliament on 10 November 2022.
Background to DORA
DORA was part of a larger digital finance package published by the European Commission (the "Commission") in September 2020, which, in addition to DORA, contained a digital finance strategy; a retail payments strategy for the EU; and a proposed regulation on crypto-assets ("MiCA").
The Commission's rationale for proposing DORA in particular, related to the:
- increased risks arising from the financial services' sector reliance on Information Communication Technologies ("ICT");
- lack of harmonised EU-level rules on digital operational resilience and the consequent, fragmented and inconsistent rules at member state level.
Additionally, DORA is consistent with the wider efforts at an EU level to strengthen cybersecurity and broader operational risks.
What is DORA?
DORA creates a regulatory framework on digital operational resilience whereby all EU financial entities are required to ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. In particular, DORA:
- enhances and streamlines the financial entities' conduct of ICT risk management;
- establishes a thorough testing of ICT systems, increases supervisors' awareness of cyber risks and ICT-related incidents faced by financial entities;
- introduces powers for financial supervisors to oversee risks stemming from financial entities' dependency on ICT third-party service providers;
- creates a consistent incident reporting mechanism that will help reduce administrative burdens for financial entities; and
- strengthens supervisory effectiveness.
Application of DORA
DORA applies to a wide range of financial firms (as detailed in the below table), as well as critical third parties which provide ICT-related services to these firms. Importantly, DORA does acknowledge that there are differences between these firms in terms of size and overall exposure to digital risk and therefore adopts a proportionate application of the rules.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.