04/15/2024 | Press release | Distributed by Public on 04/15/2024 08:58
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) ("DORA" or the "Act") is a European Union regulation intended to ensure the digital resilience of financial entities1 in the EU against Information Communication Technologies (ICT) - related incidents and operational disruptions. The European Commission completed DORA on January 16, 2023. Its requirements become effective and apply on January 17, 2025.
DORA applies to all EU "financial entities," including banks, investment firms, credit institutions, insurance companies, crowdfunding platforms, as well as critical third parties offering ICT-related services to financial institutions such as software vendors, cloud service providers and data centers, data analytics providers, and more. Article 2 of (EU) 2022/2554 identifies the following financial entities covered by the Act.2
List of financial entities covered by the regulation:
DORA "acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is "adequate" capital for the traditional risk categories."3 The DORA regulatory framework lays out requirements that address the security of financial entities' networks and information systems to enhance cybersecurity across the EU's financial sector. This helps financial entities reduce the potential impact of digital threats on their business continuity, legal liability, and financial and reputational loss.
In order to achieve a high common level of digital operational resilience, this Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities4 as follows:
The Oversight Forum shall regularly discuss relevant developments on ICT risk and vulnerabilities and promote a consistent approach in the monitoring of ICT third-party risk at Union level.10
DORA and NIS 2 are two critical pieces of EU cybersecurity legislation. The NIS 2 Directive (Directive (EU) 2022/2555) is a legislative act that aims to achieve a high common level of cybersecurity across the European Union.11
The relationship between DORA and NIS 2 is that NIS 2 aims to improve cybersecurity and protect critical infrastructure in the EU, whereas DORA addresses the EU financial sector's increasing reliance on digital technologies and aims to ensure that the financial system remains functional even in the event of a cyberattack.
What is significant to note is that NIS 2 is a European directive. By October 17, 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive11. DORA is a European regulation12 that will be applicable as it stands in all EU countries from January 17, 2025.
Article 1(2) of DORA provides that, in relation to financial entities covered by the NIS 2 Directive and its corresponding national transposition rules, DORA shall be considered a sector-specific Union legal act for the purposes of Article 4 of the NIS 2 Directive.12 DORA is "lex specialis" to NIS 213,14 for the financial sector, a principle that states that a specific law takes precedence over a general one. So, for financial entities covered under DORA, this text prevails over NIS 2. However, this does not mean that NIS 2 obligations are no longer applicable to entities affected by both texts.
The potential penalties associated with DORA can be significant and, differently to GDPR and/or NIS 2, encourage the firm to comply by imposing fines on a daily basis. Those organizations deemed noncompliant by the relevant supervisory body may find themselves subject to a periodic penalty payment of 1% of the average daily global turnover in the preceding year, for up to six months, until compliance is achieved. The supervisory body may also issue cease-and-desist orders, termination notices, additional pecuniary measures, and public notices16.
DORA was first proposed by the European Commission in September 2020. It came into force on January 16, 2023. Financial entities and third-party ICT service providers have until January 17, 2025 to prepare for DORA and implement it. Batch 1 of the Regulatory Technical Standards, or RTS, and the Implementing Technical Standards (ITS) were published on January 17, 2024. Batch 2 of these standards is under consultation.
1 The emphasis on "financial entities" rather than "financial institutions" demonstrates the EU's approach to addressing the digital operational resilience of the financial sector in a holistic manner, recognizing the interconnected and digital nature of today's financial systems. This approach ensures that the regulatory framework can adapt to the evolving landscape of financial services, where traditional boundaries between different types of financial activities have become increasingly blurred.
2 Conversely, Section 2, paragraph 3 also identifies entities to which DORA does not apply, including managers of alternative investment funds, insurance and reinsurance undertakings, institution for occupational retirement that operate pension schemes, legal persons exempted by other EU Acts, insurance and reinsurance and ancillary insurance intermediaries, and post office giro institutions.
4 https://www.digital-operational-resilience-act.com/Article_1.html
5https://www.digital-operational-resilience-act.com/Article_6.html
6https://www.digital-operational-resilience-act.com/Article_17.html
7https://www.digital-operational-resilience-act.com/Article_25.html
8https://www.digital-operational-resilience-act.com/Article_28.html
9https://www.digital-operational-resilience-act.com/Article_45.html
10https://www.digital-operational-resilience-act.com/Article_32.html
11https://www.nis-2-directive.com/
12https://www.digital-operational-resilience-act.com/
13https://www.dora-info.eu/dora/recital-16/
14https://www.ebf.eu/wp-content/uploads/2021/06/EBF-key-messages-on-NIS2-proposal.pdf
16https://www.orrick.com/en/Insights/2023/01/5-Things-You-Need-to-Know-About-DORA
This document does not constitute legal advice or reflect the views of Sophos or its employees. Companies should consult their own counsel for legal guidance on any laws and regulations.