ARTICLE
29 January 2025

DORA Now In Force In The EU

CW
Cadwalader, Wickersham & Taft LLP

Contributor

Cadwalader, established in 1792, serves a diverse client base, including many of the world's leading financial institutions, funds and corporations. With offices in the United States and Europe, Cadwalader offers legal representation in antitrust, banking, corporate finance, corporate governance, executive compensation, financial restructuring, intellectual property, litigation, mergers and acquisitions, private equity, private wealth, real estate, regulation, securitization, structured finance, tax and white collar defense.
Regulation (EU) 2022/2554 on digital operational resilience for the financial sector ("DORA")...
European Union Finance and Banking

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector ("DORA"), which establishes a uniform set of requirements relating to the security of network and information systems supporting financial system participants' business processes, is now live as of 17 January 2025, without any transitional provision.

A wide range of rules applicable for managing ICT risks, including risks linked to ICT third-party service providers, is now in force. DORA applies to nearly all financial entities regulated in the EU, with very few exemptions for smaller institutions. For the first time, it also covers major unregulated ICT third-party service providers; a significant shift in European financial regulation.

In particular, DORA requires financial firms to:

  • have internal governance and control frameworks that ensure they manage all ICT risks effectively;
  • have a robust ICT risk management framework that enables them to address ICT risk;
  • report major ICT-related incidents and notify significant cyber threats to their competent authorities;
  • carry out digital operational resilience testing (see Digital Operational Resilience Testing);
  • manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework; and
  • share information and intelligence about cyber threats and vulnerabilities.

DORA also lays down rules for the establishment and conduct of a new oversight framework for critical ICT third-party service providers (which includes many of the large technology companies) when they provide services to the firm.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More