content hub

Key Facts about DORA – The Digital Operational Resilience Act

28/05/2024

With DORA, the Regulation (EU) 2022/2554 on digital operational resilience for the financial sector, the European Union has created a regulation covering cybersecurity, ICT risks and digital operational resilience for the EU financial sector. This regulation significantly contributes to strengthening the European financial market against cyber risks and incidents related to information and communication technology (ICT)

Key Facts

  • Addresses an appropriate management of the financial sector’s increasing reliance on third-party providers.
  • Applies from January 17, 2025.
  • Consolidates various requirements for institutions and companies regarding cybersecurity, ICT risks, and digital operational resilience.
  • Applies to almost all supervised institutions and companies in the European financial sector including ICT third-party service providers (see Article 2 paragraph 1 of DORA)
  • Technical Regulatory Standards (RTS), Implementation Standards (ITS) and guidelines that further specify the application of DORA across all sectors are being developed by the three European Supervisory Authorities – the European Securities and Markets Authority (ESMA), the European Banking Authority (EBA), and the European Insurance and Occupational Pensions Authority (EIOPA).

As per Article 3-point (1) of Directive (EU) 2015/2366; REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022

‘Digital Operational Resilience’ means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.

Objective and Focus

  • EU-Regulation: Focuses on the financial sector on a European level.
  • Operational- and Cyber-Stability: Enhancing the security and operational resilience of the entire European financial sector.
  • Harmonization: Financial entities should follow the same approach and the same rules when addressing ICT risks.

Core Elements

The regulation is designed to cover all aspects of digital resilience in the financial sector, the graphic below highlights the core elements of DORA. These elements span from comprehensive risk management frameworks to testing protocols and third-party oversight ensuring a robust and secure digital financial environment across the European Union.

Timeline

The timeline provided outlines critical milestones in the journey towards the implementation of DORA, across the European financial sector.

  • 2020-2022: This period focused on the preparation and negotiation of DORA on a European level. Stakeholders across EU member states collaborated to craft a framework that balances resilience with innovation in the digital era.
  • 17/02/2023: Marked a significant milestone with the entry into force of DORA alongside the amendment directive, initiating new standards of enhanced operational resilience.
  • 2023: The drafting of Level 2 and Level 3 regulatory acts (Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)) begins, further detailing the requirements.
  • 2023-2024: During this phase, public consultation and national implementations take place, allowing feedback and adaptation. This process aims to the finalization of Level 2 and Level 3 regulatory acts and their adoption by the EU Commission.
  • 17/01/2025: This date marks the mandatory application of DORA and the amendment directive.

Sources

  • REGULATION (EU) 2022/2554 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL, of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC), No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011
  • https://www.digital-operational-resilience-act.com/Article_3.html
  • https://www.bafin.de/DE/Aufsicht/DORA/DORA_node.html
  • Bafin: ‘DORA ein Überblick’, 05/12/2023

Tags:

Julia Quittek

Julia hat umfassende Erfahrung in der Leitung von Payments Strategie- und Implementierungsprojekten. Julias Superpower ist ihre Fähigkeit, komplexe Projekte zu managen, indem sie ihre ausgeprägten Projektmanagement-Fähigkeiten mit ihrer regulatorischen Expertise im Payments kombiniert.

www.consalty.com

More Knowledge Drops

Das neue EU AML-Paket (2) – Kreis der Verpflichteten

16/08/2024 read article

DORA – Eine Chance für IKT-Drittdienstleister im Finanzsektor?

28/05/2024 read article

Operationelle Risiken (1) – Bedeutung und Einordnung

19/10/2024 read article

Neue Auslegungs- und Anwendungshinweise zum Geldwäschegesetz

20/12/2024 read article