Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554 is a European Union regulation.[1][2] It requires financial entities to improve their digital operational resilience.

Aim

[edit]

DORA aims to improve the digital operational resilience of financial entities in the EU and their ICT suppliers and create a uniform regulatory framework across the EU, in order to reduce the susceptibility to cyber threats across the entire value chain of the financial sector. In addition, DORA intends to harmonize national regulations regarding the security of IT systems in the financial sector, thus strengthening the European financial market as a whole against cyber risks and information and communications technology incidents.

Scope

[edit]

The regulation applies to financial entities and third-party suppliers of ICT services. Article 2 defines financial entities as:

  • credit institutions
  • payment institutions
  • account information service providers
  • electronic money institutions
  • investment firms
  • crypto-asset service providers and issuers of asset-referenced tokens
  • central securities depositories
  • central counterparties
  • trading venues
  • trade repositories
  • managers of alternative investment funds
  • management companies
  • data reporting service providers
  • insurance and reinsurance undertakings
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • institutions for occupational retirement provision
  • credit rating agencies
  • administrators of critical benchmarks
  • crowdfunding service providers
  • securitisation repositories

The regulation explicitly does not apply to:

  • managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU
  • insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC
  • institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total
  • natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises
  • post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU

Proportionality principle

[edit]

Article 4 defines the proportionality principle, resulting in some exceptions for smaller enterprises which fall within the scope of the regulation despite their size. This allows for a simplified implementation of certain requirements in accordance with the overall risk profile of the enterprise. An example for this is the simplified ICT risk management framework according to Article 16 in combination with a regulatory technical standard (RTS).

Structure

[edit]

The regulation comprises 64 articles divided into 9 chapters:

  1. General provisions (Art. 1–4)
  2. ICT risk management (Art. 5–16)
  3. ICT-related incident management, classification and reporting (Art. 17–23)
  4. Digital operational resilience testing (Art. 24–27)
  5. Managing of ICT third-party risk (Art. 28–44)
  6. Information-sharing arrangements (Art. 45)
  7. Competent authorities (Art. 46–56)
  8. Delegated acts (Art. 57)
  9. Transitional and final provisions (Art. 58–64)

In addition, the European Supervisory Authorities develop regulatory and implementing technical standards (RTS and ITS), which, being published in the Official Journal of the European Union, also become legally binding:

  1. RTS on the ICT risk management framework (Art. 15)
  2. RTS on the simplified ICT risk management framework (Art. 16 paragraph 3)
  3. RTS on the classification of ICT-related incidents and cyber threats (Art. 18 paragraph 3)
  4. RTS to establish the content of the reports for major ICT-related incidents (Art. 20 (a))
  5. ITS to establish the standard forms, templates and procedures for financial entities to report a major ICT-related incident (Art. 20 (b))
  6. RTS on threat-led penetration testing (Art. 26 paragraph 11)
  7. ITS on standard templates for the purposes of the register of information (Art. 28 paragraph 9)
  8. RTS on the policy on the use of ICT services (Art. 28 paragraph 10)
  9. RTS on the specification of elements when subcontracting ICT services supporting critical or important functions (Art. 30 paragraph 5)
  10. guidelines on the cooperation between the ESAs and the competent authorities regarding the structure of the oversight framework (Art. 32 paragraph 7)
  11. RTS on the harmonisation of conditions enabling the conduct of the oversight activities (Art. 41)

References

[edit]
  1. ^ Pattison, Andrew. A Guide to the EU Digital Operational Resilience Act. Walter de Gruyter. ISBN 9781787784536.
  2. ^ Rodenburg-Luitse, Willemijn (2023-01-25). "EU neemt met Dora baanbrekende it-wetgeving aan". Computable.nl (in Dutch). Retrieved 2024-05-21.
[edit]