The Digital Operational Resilience Act (DORA) – EU legislation in force since 16 January 2023 – sets out requirements for ICT security systems that support the business processes of financial entities. DORA's aim is to centralise legislation related to ICT compliance, but this does not mean it is a mere collection of existing obligations. The requirements laid down in DORA are likely to have a substantial impact on how financial entities arrange the governance of their ICT risks. The industry has been given two years to prepare and implement the necessary changes before DORA starts applying on 17 January 2025. While this may seem far away, significant action is likely to be needed, and financial entities are advised to start preparations as soon as possible.
Entities in scope
Wide scope: impact on nearly all financial institutions
DORA's aim is to centralise legislation related to ICT compliance, which means that this legislation applies to a broad range of financial entities recognised in EU law, including credit institutions, payment institutions, investment firms, investment managers and insurance undertakings. As DORA also introduces requirements for undertakings providing ICT services in the financial sector, both sides of ICT-related contracts are covered.
Exemptions – extension of DORA beyond its formal scope
Although the scope of the legislation is generally broad, it does contain exemptions for financial entities with specific characteristics, such as microenterprises, small and non-interconnected firms, and certain entities which benefit from exemptions or are subject to a very light regulatory framework under relevant sector-specific EU law.
Nevertheless, even businesses in the financial sector that are not directly within the scope of DORA should be aware that the new legislation will likely set industry standards and expectations that may extend beyond its formal scope of application.
The purpose of DORA is to establish a high common level of digital operational resilience through uniform and EU-wide requirements. Primarily, DORA contains rules for financial entities on the following topics:
- ICT risk management;
- Reporting and notification of major ICT incidents, significant cyber threats, and major operational or security payment-related incidents;
- Digital operational resilience testing;
- Information and intelligence sharing; and
- Management of ICT third-party risk.
DORA also contains extensive requirements governing the contractual arrangements between ICT third-party service providers and financial entities, regardless of whether these arrangements qualify as outsourcing. This means that outsourcing relationships and policies, as well as third-party contracting frameworks will need to be revisited to check if these are DORA compliant.
DORA explicitly provides for proportionality in the implementation of the rules. This means that, when implementing DORA, financial entities should consider their size and overall risk profile, as well as the nature, scale and complexity of their services, activities and operations. This may be helpful in determining DORA's impact, but will also require entities to consider what level of proportionality is appropriate in their specific situation. We expect further clarity on this in the regulatory technical standards (RTS).
Introduction of more detail via RTS
To further build on the DORA framework, the relevant European Supervisory Authorities shall develop and introduce technical standards for financial entities to abide by. These technical standards are expected to be published in tranches from 17 January 2024 onwards. This means that preparing for DORA compliance inevitably requires keeping a close eye on the European Supervisory Authorities' latest activities on digital operational resilience. In the meantime, overarching actions should be considered. The technical standards will provide further detail on specific requirements, but do not take away from the general steps to be considered now to ensure timely organisational readiness.
Relation to existing legal framework
DORA is part of a larger European digital finance package that aims to ensure financial stability and consumer protection through technological development. This digital finance package also includes a European digital finance strategy, regulation on markets in crypto-assets (MiCA), and regulation concerning market infrastructures based on distributed ledger technology.
Due to previous policy and legislative initiatives by the EU and national governments, DORA provisions overlap with existing regulation. For example, at the European level, material overlap is expected with the provisions of the Network and Information Security Directive (NIS2), the EBA Guidelines on Outsourcing Arrangements, and the EBA Guidelines on ICT and Security Risk Management. It is good to be aware of potential regulatory overlap and to prepare for navigating this rapidly expanding regulatory landscape in the run-up to DORA's applicability date of 17 January 2025.
Next steps: round table on 18 April 2023
Even though DORA applies as of 17 January 2025, preparations and implementation for full compliance will take time. We recommend starting to identify gaps and prepare a plan of action. As a first step, consider identifying: (i) which teams in your organisation should be involved (likely not only legal and compliance, but also specific teams such as IT, risk management and operations), and (ii) what DORA's scope of application is expected to be (which existing contracts are in scope and will need to be revisited, which policies require further review, etc.).
To discuss DORA's impact on your business, including potential steps to take, we are hosting a round table at our Amsterdam office on 18 April 2023 from 8:30 to 10:30. For more information, see Round table - Digital Operational… | De Brauw Blackstone Westbroek.
You can sign up for the round table by sending an email to Client.Events@debrauw.com