On December 27, 2022, the European Regulation on digital operational resilience for the financial sector was published. It entered into force on January 17, 2023 and will apply as of January 17, 2025.
The objective of DORA is to enable the European financial sector (construed broadly) to remain resilient in the event of a serious operational disruption as well as to prevent and mitigate cyber threats.
- DORA creates a regulatory framework on digital operational resilience whereby all businesses must ensure that they can resist, respond to and recover from all types of ICT-related disruptions and threats.
- DORA sets uniform requirements, consistent across the whole of the EU, for the security of the networks and information systems of financial sector institutions, as well as critical third party-providers that offer them with information and communication technology (ICT) services, such as cloud computing platforms (PaaS) or data analysis services.
Scope of DORA
The scope of the Regulation is very broad. DORA targets Luxembourg entities engaged in financial and insurance sectors, including, amongst others:
- Credit institutions;
- Payment institutions, including payment institutions exempted pursuant to PSD2;
- Electronic money institutions, including electronic money institutions exempted pursuant to EMID;
- Investment firms;
- Crypto-asset service provider as authorised and issuers asset-referenced tokens;
- Managers of alternative investment funds;
- Management companies of OPCVM;
- Insurance and reinsurance companies;
- ICT third-party service providers
As well as any Luxembourg branches of the aforementioned entities.
Uniform rules and requirements set forth by DORA
- Requirements for financial entities:
- Information and communication technology (ICT) risk management;
- Reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;
- Reporting of major operational or security payment-related incidents to the competent authorities by financial entities;
- Digital operational resilience testing;
- Information and intelligence sharing in relation to cyber threats and vulnerabilities;
- Measures for the sound management of ICT third-party risk;
- Requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities;
- Rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities;
- Rules on cooperation between competent authorities, and rules on supervision and enforcement by competent authorities with respect to the rules set forth by DORA.
DORA requires Member States to lay down rules on appropriate, effective, and proportionate criminal and administrative penalties and remedial measures for its breaches.