Add a bookmark to get started

Aiming for harmonised digital operational resilience in the EU financial sector

DORA aims to establish a harmonized and streamlined digital operational resilience framework across the EU financial sector. It will also establish a new oversight framework for critical ICT third-party service providers that provide ICT services to financial entities.

On 27 December 2022, the new EU regulation on digital operational resilience for the financial sector (DORA), was published in the Official Journal of the EU and entered into force on 16 January 2023. In-scope entities have until 17 January 2025 to prepare for the start of DORA's application.

DORA aims to establish a harmonized and streamlined digital operational resilience framework across the EU financial sector. It will also establish a new oversight framework for critical ICT third-party service providers that provide ICT services to financial entities. 

 

Who is in scope of DORA

DORA will apply to the majority of financial entities, including: credit, payment and e-money institutions, investment firms, crypto-asset service providers, issuers of crypto-assets, insurance and reinsurance undertakings, credit rating agencies, statutory auditors and audit firms and crowdfunding service providers. DORA will also apply to ICT third-party service providers which are designated as "critical" for financial entities.

“DORA will have significant impact on all financial entities and service providers in scope.”

What are the main elements of DORA

Among other requirements, all financial entities and service providers caught by DORA will be required to:

  • implement governance and control frameworks to manage ICT risks effectively within such frameworks;
  • carry out enhanced digital operational resilience testing;
  • manage ICT third-party risk with ICT management frameworks; and
  • report major ICT related incidents to competent authorities.

 

Actions to consider

DORA will have significant impact on all financial entities and service providers in scope. Although there is 24 month implementation period, it is important that those entities falling within the scope of DORA should start preparing for its implementation now.

Firstly, a thorough assessment of the new requirements against current policies, processes and practises implemented with financial entities should be applied to identify potential compliance gaps. ICT services provider with customers in the financial services sector should consider whether or not the classification as a ‘critical’ ICT third-party service provider is likely to apply on their business. If so, it may be prudent to start thinking about the compliance strategy that will need to be planned and implemented in time for the compliance window to be met.

 For more information regarding DORA and how it will affect your business, please contact your usual DLA Piper advisor.