Deadline To Apply DORA Looms

Schoenherr Attorneys at Law


We are a full-service law firm with a footprint in Central and Eastern Europe providing local and international companies stellar advice. As the go-to legal advisor for complex commercial matters in the region, Schoenherr aims to use its proximity to industry leaders, in developing practical solutions for future challenges. We keep a close eye on trends and developments, which enables us to provide high quality legal advice that is straight to the point.
Along with the NIS2 directive, the Digital Operational Resilience Act (DORA) is an essential piece of European legislation aiming to bolster cybersecurity within the EU.
Czech Republic Technology
To print this article, all you need is to be registered or login on

Along with the NIS2 directive, the Digital Operational Resilience Act (DORA)1 is an essential piece of European legislation aiming to bolster cybersecurity within the EU. Unlike the NIS2 directive, DORA aims specifically at enhancing the operational resilience of the financial sector, while establishing a comprehensive framework to ensure that all financial entities regulated under DORA can withstand, respond to, and recover from disruptions and threats related to information and communications technology (ICT).

Read our Legal Insight on The state of cybersecurity regulation in the Czech Republic: NIS 2 transposition underway, deadline 17 October 2024.

Supplementing other regulatory frameworks mandated by the EU, DORA introduces a unified set of standards for digital operational resilience, which regulated financial entities must integrate into their risk management strategies following its applicable date of 17 January 2025.


Another important piece of European cybersecurity legislation is the second Network and Information Security Directive (NIS2), which, in contrast to DORA, introduces a harmonised framework for the oversight and supervision of ICT risk management in other critical sectors.

To whom does the regulation apply?

To establish a high level of cybersecurity within the EU's financial system, European legislators decided to include many financial institutions under DORA. These will be obliged to apply the rules and standards introduced by the regulation to varying degrees. The list of obliged entities under DORA includes:

  • credit institutions;
  • investment firms;
  • insurance and reinsurance undertakings;
  • payment and electronic money institutions;
  • alternative investment fund managers;
  • (UCITS) management companies;
  • crypto-asset service providers;
  • crowdfunding service providers; and
  • ICT third-party service providers.

The entities subject to DORA are recognised as essential to the infrastructure and security of the EU's financial system. As such, they are expected to maintain a high level of digital operational resilience to protect both the financial markets as well as their participants.

Obligations under DORA

Entities subject to DORA are expected to comply with a range of requirements imposed by the regulation, including various technical, organisational and legal measures. The core obligations to be implemented by the respective entities are:

  1. ICT risk management;
  2. reporting of cybersecurity incidents to competent authorities, including the establishment of communication channels;
  3. regular testing of digital operational resilience;
  4. regular training of employees and managers; and
  5. management of risks related to third-party service providers, including setting up key contractual provisions with such providers.

In addition to these core obligations, under certain conditions financial institutions may also enter into information-sharing arrangements on cyberthreat information and intelligence. These should further solidify security and cyberthreat awareness across the EU through sharing of experience with cyberattacks and practical solutions.

What's next?

As the date of application of the DORA regulation is approaching, all potentially concerned institutions should assess whether they will be affected by the new rules and to what degree. The regulation will entail substantial obligations, and compliance will demand considerable time and resources. Therefore, we advise allocating sufficient resources and obtaining technical and legal advisory support in a timely manner.


1. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More