The Regulation (EU) 2022/2554 on digital operational resilience in the financial sector and modifying Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 (Digital Operational Resilience Act - DORA) was adopted by the European Parliament and the Council of Ministers under the ordinary legislative procedure of the European Union and signed by the respective Presidents on 14.12.2022.
On 27.12.2022 the publication in the Official Journal of the European Union has followed. As of 17.01.2025, DORA will apply to the Member States and thus also to the national companies covered by DORA.
DORA obliges the companies affected by the regulation to set up and continuously improve their ICT (information and communication technology) systems. It also imposes reporting obligations on the companies concerned and prescribesfor a review of third-party ICT service providers.
It remains to be observed whether the national legislator sees a need for possible national implementations. It can be assumed that the FMA will draw up guidelines on DORA, which are intended to serve as guidance for the companies affected by the requirements imposed by DORA.
1. Background and overview of the legislative process
In September 2020, the European Commission presented the Digital Finance Package. The aim was to create a uniform regulation of the digital financial services market at the Union level. In view of the increasing danger of cyber attacks, the EU wants to strengthen the IT security of financial companies such as banks, insurance companies and payment service providers.
The key element of this package is the Digital Operational Resilience Act (DORA Regulation). The aim of this regulation is to create a legal framework for the operational stability of digital systems. This is intended to strengthen companies' resilience to all types of ICT (information and communications technology)-related disruptions and threats so that they can subsequently mitigate and avert cyber threats. Thus, DORA is intended to contribute to sound and adequate cyber security in the financial sector against threats arising from ICT.
After reaching a political agreement, DORA was signed by the President of the European Parliament and the President of the Council on 14.12.2022. The publication in the Official Journal took place on 27.12.2022. Its regulations are directly applicable for the Member States and thus also for the companies affected by DORA as of 17.01.2025.
2. Companies affected by DORA
Almost all financial companies (such as banks or payment service providers) are subject to the new regulations. An exception to this are (among others) the auditors. They will be part of a future review of the regulation.
3. On the substantive requirements
- The companies affected by DORA must set up stable ICT systems and continuously improve them.
- DORA requires companies to regularly inspect their ICT systems by establishing a risk-based, proportional testing program.
- DORA extends the reporting requirement for serious ICT incidents to all financial firms covered by the Act.
- DORA also initiates what is known as ICT third-party risk management. Companies that offer ICT services (= ICT third-party service providers) must be monitored by the financial companies (already) during the contract conclusion phase, during the fulfillment of the contract, during the termination of the contract and also in the post-contract phase.
For example, a risk analysis must be carried out when the contract is concluded.
4. Summary
Through the Europe-wide harmonization, DORA creates uniform and standardized regulations. DORA creates a comprehensive set of legal rules that focuses on the risks of digitalization for the financial sector at EU level.
For the companies now covered by DORA, however, the obligations associated with the regulation represent an enormous financial and technical challenge. As the DORA regulations are applicable from 17.01.2025 onwards, there is an immediate need for action.