The DORA is a key regulatory initiative of the European Union that aims to improve the digital resilience of the financial sector by establishing uniform rules for the use of information and communication technologies (ICT). It aims to ensure that a wide range of financial institutions - including banks, insurers, investment firms and payment service providers - are able to effectively defend against and recover from cyberattacks and other digital threats. Strict requirements on risk management, security standards and the monitoring of third-party providers will strengthen confidence in the digital infrastructure of the financial sector. The regulation entered into force on January 16, 2023 and will apply from January 17, 2025.
The DORA is intended to ensure that all entities are digitally flexible enough to withstand, respond to and recover from any ICT-related cyber threat. The aim is to ensure business continuity even if an organization's ICT is disrupted. The regulation also sets out the security requirements for networks and information systems for critical third-party providers of ICT-related services such as cloud platforms or data analytics services, as well as for organizations in the financial sector. These requirements are uniform in all EU Member States.
I. Addressees
The Digital Operational Resilience Act must be observed by financial entities and third-party service providers of information and communication technologies (ICT third party service providers). According to BaFin, almost all supervised institutions and entities in the European financial sector are subject to the DORA, see here.
Financial entities: including banks, payment and credit institutions, credit rating agencies, e-money institutions, crypto-assets and crowdfunds, insurance and reinsurance providers, investment entities and investment funds, capital market entities, brokers, statutory auditors and auditing entities.
Providers of information and communication technology (ICT): including providers of payment solutions, providers of data storage solutions, cloud providers/SaaS/outsourcers, software providers, providers of information management systems/CRM solutions, providers of governance, risk management and compliance.
The regulation can apply to ICT providers in two ways: Firstly, directly for so-called “critical ICT third-party service providers” within the meaning of Art. 31 DORA, as these are subject to a special regulatory supervisory framework, and secondly, indirectly for all ICT third-party service providers, as they must adapt their organization, the provision of their service and the service contracts to the requirements of the DORA if they work for financial companies. The latter case is discussed in detail in Part 2 and Part 3.
II. Relationship to NIS2
The NIS2 Directive, which was published on December 27, 2022 and is to be transposed into national law by October 27, 2024, covers a total of 18 sectors, including the financial sector. For financial companies, the question therefore arises as to which of the regulations must be observed.
This question is answered by recital 16 of DORA, which identifies DORA as lex specialis and thus as taking precedence over NIS2. This is also reflected in the fact that the DORA regulations are specifically tailored to the financial sector and have more detailed requirements than NIS2. Recital 16 goes on to state that it is important to maintain a close relationship between the financial sector and the Union's horizontal cybersecurity framework currently set out in NIS2 in order to ensure consistency with the cybersecurity strategies adopted by Member States and to enable financial supervisory authorities to be alerted to cyber incidents affecting other sectors covered by that Directive.
The following therefore applies: While financial entities fall within the scope of finance and insurance under NIS2, they are exempt from most obligations under NIS2 (apart from registration with the BSI) to the extent that they are also regulated by DORA. This means that financial institutions are largely exempt from the requirements of NIS2. However, due to the exclusions in DORA, there are also financial companies that do not fall under the scope of DORA - these could then be affected by NIS2.
On the other hand, critical ICT third-party service providers are subject to dual regulation, namely both DORA and NIS2, as they fall within the latter's “IT and telecommunications” sector. This means that, as a rule, critical ICT service providers must comply with both the DORA obligations for ICT service providers and the regular NIS2 obligations.
The obligations in DORA and NIS2 are fundamentally similar and focus on the risk management of IT and services provided. However, the obligations under DORA are more comprehensive and detailed than those under NIS2. Companies affected by both regulations must therefore reconcile the respective obligations.
III. Sanctions
The requirements of the DORA must be met from January 27, 2025. From this date, sanctions can therefore be expected in the event of violations. According to Art. 50 para. 3 DORA, the EU member states must define appropriate administrative sanctions and remedial measures for violations of DORA and ensure their effective implementation. The member states are also free to impose criminal sanctions. Periodic penalty payments that can be imposed on the ICT third-party service provider can amount to up to 1% of the average worldwide daily turnover generated by the critical ICT third-party service provider in the previous financial year (Art. 35 para. 8 sentence 1 DORA). Pursuant to Art. 54 para. 1 DORA, administrative sanctions must be published by the competent authorities on their websites.
IV. Key regulatory content
ICT risk management (Chapter II, Art. 5-16): The DORA sets out requirements for the proper management of ICT risks. These requirements include procedures for risk identification and risk minimization.
ICT-related incident management, classification and reporting (Chapter III, Art. 17-23): The regulation provides for improved monitoring, detection and reporting of cyber threats and attacks in the financial sector. The chapter contains provisions on procedures and processes in the event of such incidents, including notification and reporting to the supervisory authorities.
Digital Operational Resilience Testing (Chapter IV, Art. 24-27): In addition, the requirements for security testing are expanded and the introduction of an EU-wide testing standard is sought. Financial entities should proactively test their systems, tools and processes for weaknesses or gaps in order to prepare for ICT-related incidents. The DORA testing requirements include vulnerability and network security assessments, gap analysis, software solution testing, scenario-based testing, penetration testing and third-party risk assessments.
Management of ICT third-party risk (Chapter V, Art. 28-30): Financial institutions must assess and document the risks associated with ICT service providers. Contracts with these entities must be DORA-compliant.
Oversight Framework of critical ICT third-party service providers (Chapter V, Art. 31-44): The DORA also regulates the establishment of a European monitoring framework for critical ICT third party service providers operating in the financial market to track developments in ICT risks and vulnerabilities and to promote a coherent approach to the monitoring of ICT third party risk at Union level.
Information-sharing arrangements on cyber threat information and intelligence (Chapter VI, Art. 44 and Chapter VII, Art. 49): The DORA promotes the exchange of information and intelligence on cyber threats between partners and competing entities.
V. The use of ICT third-party service providers
The regulatory focus of the DORA requirements is the use of ICT third-party service providers by financial entities. Art. 28-30 DORA sets out special requirements for this. These are presented in detail in a further Insight (Part 2).
)