DORA - What You Need to Know

The Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554) entered into force in January 2023, marking the beginning of a 24-month period in which financial entities affected by DORA are required to integrate the regulation into their operations. DORA will become applicable on 17 January 2025.

Who does it apply to?

DORA will apply to all financial entities, including credit institutions, payment institutions and investment firms as well as certain information and communication technology (ICT) third-party service providers.

What is DORA aiming to achieve?

The rapid digitalisation and the increased vulnerability to cyberattacks made previous regulations inadequate to address the emerging risks and challenges posed by the developments in the financial services sector.
DORA aims to enhance the resilience of the financial sector by governing the prevention and management of ICT risks by financial entities. It also streamlines the existing patchwork of relevant provisions contained within EU financial services legislation, establishing a comprehensive framework on digital operational resilience for EU financial entities. It sets out network and information systems security requirements for financial entities and their third-party ICT service providers. Once met, the DORA requirements should enable financial entities to have the full range of ICT related capabilities needed to address the security of the network and information systems which a financial entity uses and which support the continued provision of financial services and their quality, including through disruptions.

What are DORA’s key obligations?

DORA’s key obligations for financial entities are divided into five pillars:

ICT risk management requirements: Financial entities are required to: (i) set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk; (ii) identify on a continuous basis all sources of ICT risk; (iii) set-up protection and prevention measures; (iv) promptly detect anomalous activities; and (v) put in place dedicated and comprehensive business continuity policies and disaster and recovery plans as an integral part of the operational business continuity policy.

ICT incident reporting: Financial entities are required to establish and implement a management process to monitor and log ICT-related incidents, followed by an obligation to classify them based on criteria detailed in the regulation and further developed by the ESAs through to specify materiality thresholds.

Digital operational resilience testing: The regulation introduces digital operational resilience testing requirements depending on the size, business and risk profiles of financial entities: while all entities should perform a testing of ICT tools and systems, only those identified by competent authorities as significant and cyber mature should be required to conduct advanced testing based on TLPTs.

ICT third-party risk: Financial entities are required to monitor risks posed by ICT third-party providers. The regulation harmonises key elements of the service and relationship with ICT third-party providers. DORA requires financial services entities to assess and divide their ICT third-party providers into those who provide services that support critical and important functions and those who don’t.  DORA requirements for the contracts supporting critical or important functions are more extensive and detailed. These include contractual requirements which are similar but not identical to the existing outsourcing regime such as a full-service level description, indication of locations where data is being processed, termination rights and audit rights.

Information sharing: Financial entities are encouraged to set-up arrangements to exchange amongst themselves cyber threat information and intelligence.

Key dates

The following dates are key for the DORA implementation plan:

How can we help? 

Our lawyers will provide clients with the right legal advice and support, based upon our in-depth understanding of the DORA requirements.

We can assist with reviewing contracts with ICT third-party providers to identify any clauses which need to be added and/or amended to align each contract with the applicable mandatory DORA requirements ensuring DORA compliance. DORA does not set out full form clauses to be included into all contracts, but instead sets out elements the contracts need to cover. While some of these are terms which would typically be included in any properly drafted ICT contract, others may not be included in standard terms or in regulated firm’s templates.

We can support clients with discussions with ICT third-party providers to ensure the required clauses are included.

We can update templates to ensure all future contracts entered into comply with the relevant DORA requirements.

We embrace emerging AI technologies which enables us to provide unique solutions to contractual re-papering exercises, ensuring speed, efficiency and accuracy of outcome.

Authors:

Calliopi Nicolaidou

Partner, Corporate Law

Hadjianastassiou, Ioannides LLC (Deloitte Legal)
Email: cnicolaidou@deloitte.com

Christina Hadjivassiliou

Managing Associate, Commercial Law

Hadjianastassiou, Ioannides LLC (Deloitte Legal)
Email: chadjivassiliou@deloitte.com