The DORA is a key regulatory initiative of the European Union that aims to improve the digital resilience of the financial sector by establishing uniform rules for the use of information and communication technologies (ICT). It aims to ensure that a wide range of financial institutions - including banks, insurers, investment firms and payment service providers - are able to effectively defend against and recover from cyberattacks and other digital threats. Strict requirements on risk management, security standards and the monitoring of third-party providers will strengthen confidence in the digital infrastructure of the financial sector. The regulation entered into force on January 16, 2023 and will apply from January 17, 2025.
The DORA is intended to ensure that all entities are digitally flexible enough to withstand, respond to and recover from any ICT-related cyber threat. The aim is to ensure business continuity even if an organization's ICT is disrupted. The regulation also sets out the security requirements for networks and information systems for critical third-party providers of ICT-related services such as cloud platforms or data analytics services, as well as for organizations in the financial sector. These requirements are uniform in all EU Member States.
I. Addressees
The Digital Operational Resilience Act must be observed by financial entities and third-party service providers of information and communication technologies (ICT third party service providers). According to BaFin, almost all supervised institutions and entities in the European financial sector are subject to the DORA, see here.
Financial entities: including banks, payment and credit institutions, credit rating agencies, e-money institutions, crypto-assets and crowdfunds, insurance and reinsurance providers, investment entities and investment funds, capital market entities, brokers, statutory auditors and auditing entities.
Providers of information and communication technology (ICT): including providers of payment solutions, providers of data storage solutions, cloud providers/SaaS/outsourcers, software providers, providers of information management systems/CRM solutions, providers of governance, risk management and compliance.
II. Relationship to NIS-2
The NIS-2 Directive, which was published on December 27, 2022 and is to be transposed into national law by October 27, 2024, covers a total of 18 sectors, including the financial sector. For financial companies, the question therefore arises as to which of the regulations must be observed.
This question is answered by recital 16 of DORA, which identifies DORA as lex specialis and thus as taking precedence over NIS-2. The recital goes on to state that it is important to maintain a close relationship between the financial sector and the Union's horizontal cybersecurity framework currently set out in NIS-2 in order to ensure consistency with the cybersecurity strategies adopted by Member States and to allow financial supervisory authorities to be alerted to cyber incidents affecting other sectors covered by that Directive.
In conclusion, it should be noted that the requirements for financial companies arise primarily from the DORA.
III. Sanctions
The requirements of the DORA must be met from January 27, 2025. From this date, sanctions can therefore be expected in the event of violations. According to Art. 50 para. 3 DORA, the EU member states must define appropriate administrative sanctions and remedial measures for violations of DORA and ensure their effective implementation. The member states are also free to impose criminal sanctions. Periodic penalty payments that can be imposed on the ICT third-party service provider can amount to up to 1% of the average worldwide daily turnover generated by the critical ICT third-party service provider in the previous financial year (Art. 35 para. 8 sentence 1 DORA). Pursuant to Art. 54 para. 1 DORA, administrative sanctions must be published by the competent authorities on their websites.
IV. Key regulatory content
ICT risk management (Chapter II, Art. 5-16): The DORA sets out requirements for the proper management of ICT risks. These requirements include procedures for risk identification and risk minimization.
ICT-related incident management, classification and reporting (Chapter III, Art. 17-23): The regulation provides for improved monitoring, detection and reporting of cyber threats and attacks in the financial sector. The chapter contains provisions on procedures and processes in the event of such incidents, including notification and reporting to the supervisory authorities.
Digital Operational Resilience Testing (Chapter IV, Art. 24-27): In addition, the requirements for security testing are expanded and the introduction of an EU-wide testing standard is sought. Financial entities should proactively test their systems, tools and processes for weaknesses or gaps in order to prepare for ICT-related incidents. The DORA testing requirements include vulnerability and network security assessments, gap analysis, software solution testing, scenario-based testing, penetration testing and third-party risk assessments.
Management of ICT third party risk (Chapter V, Art. 28-30): Financial institutions must assess and document the risks associated with ICT service providers. Contracts with these entities must be DORA-compliant.
Oversight Framework of critical ICT third-party service providers (Chapter V, Art. 31-44): The DORA also regulates the establishment of a European monitoring framework for critical ICT third party service providers operating in the financial market to track developments in ICT risks and vulnerabilities and to promote a coherent approach to the monitoring of ICT third party risk at Union level.
Information-sharing arrangements on cyber threat information and intelligence (Chapter VI, Art. 44 and Chapter VII, Art. 49): The DORA promotes the exchange of information and intelligence on cyber threats between partners and competing entities.
V. Use of third-party ICT providers
The regulatory focus of the DORA requirements is the use of third-party ICT providers by financial entities. Art. 28-30 DORA sets out special requirements for this. These are presented in detail in a further Insight (Part 2).