News
Categories
Contact
DORA: New rules for digital operational resilience in the financial sector
Digital transformation and the need for regulation
The digital transformation of the financial sector has brought many opportunities and risks, too. In order to strengthen the resilience of financial institutions to cyber threats and operational disruptions, the European Union has adopted Regulation (EU) 2022/2554, known as DORA (Digital Operational Resilience Act). This Regulation entered into force on 16 January 2023 and its implementation is mandatory from 17 January 2025.
Main areas of regulation
DORA aims to ensure that all financial sector entities have adequate measures in place to prevent, detect and address cyber-attacks and operational failures. The main areas of regulation include:
ICT risk management
Financial institutions need to put in place robust frameworks to manage information and communication technology (ICT) risks, including continuous monitoring and timely resolution of incidents.
Incident reporting and resolution
Obligation to report significant cyber incidents to the relevant regulators to increase transparency and enable a coordinated response.
Digital Operational Resilience Testing
Entities will be obligated to regularly test their digital resilience through penetration tests and scenarios simulating real-life cyber attacks.
Third party risk management
Introduces stricter requirements for the supervision of digital service providers (e.g. cloud services) that are critical to the functioning of financial institutions.
Cooperation and supervision
Improve cooperation between EU Member States and regulators to coordinate action to ensure consistent application of the rules.
Impact of DORA on financial institutions
DORA applies to a wide range of entities, including banks, insurance companies, investment firms, asset management companies and crypto service providers.
Financial institutions will have to:
- Adapt their existing security policies to the new requirements.
- Invest in modernising IT infrastructure and cybersecurity.
- Improve monitoring and reporting of cyber incidents.
- Ensure compliance with cyber-attack resilience testing requirements.
DORA represents a significant step forward in the area of financial sector cybersecurity in the EU. Its implementation will bring a higher level of digital resilience and help prevent disruptions that can have serious consequences for financial stability. Financial institutions should start preparing now to meet the new requirements to minimise potential risks and ensure a smooth transition to the new regulatory framework.
