On 28 November, the Council of Europe adopted the Digital Operational Resilience Act (“DORA”); a Regulation on the digital operational resilience of the financial sector.
What is DORA all about?
The Digital Operational Resilience Act (DORA) is part of the Digital Finance Package of the European Union.
DORA sets out uniform requirements for the security of networks and information systems of institutions operating in the financial sector, with the objective of maintaining the resilience of the financial sector and harmonising existing laws and regulations in this field.
The Regulation contains specific obligations for IT risk management, reporting on IT-related incidents and cyber threats and sharing of information in this context, testing IT systems (including pen tests), and managing the risks of outsourcing IT to third parties. For the latter DORA sets out specific minimum requirements that need to be taken into account in outsourcing agreements.
DORA applies to financial entities such as banks and insurers, which were already subject to similar supervision under existing laws and regulations as a result of the various European Directives and secondary national legislation and guidelines of supervisory authorities in this context. Examples are the requirements set in the Dutch Financial Supervision Act, the EBA guidelines on outsourcing arrangements that apply to financial entities such as banks, and the similar EIOPA Guidelines on outsourcing to cloud service providers to which insurers are subject.
A special and new element is that DORA will also cause certain ICT service providers that provide ICT services to parties in the financial sector to come under direct supervision. The so-called ‘critical ICT third-party service providers’ under DORA.
The legislative process
The original proposal for this Regulation dates back to 24 September 2020. Following recommendations from the European Central Bank, the European Data Protection Supervisor and the European Economic and Social Committee, the text of this proposal was amended. Last summer, the European Court and the Council of Europe reached a preliminary agreement and meanwhile, at first reading, the amended text has been adopted and approved by both.
The adoption of the (amended) proposal for the Digital Operational Resilience Act by the European Council was the final step in the European legislative process. In principle, we now only have to await the publication of the final text by which DORA will enter into effect.
After DORA enters into effect, financial entities such as banks and insurers, as well as IT service providers that fall under the scope of application, will be granted an implementation period of 24 months to meet the requirements of DORA.
In a subsequent article, we will further set out and discuss the various requirements arising from DORA for banks and insurers, and for (critical) IT service providers in outsourcing arrangements.
Do you have questions about DORA or the way in which this Regulation will affect your enterprise? Please, feel free to contact Jan or Laura.