Jump to content

Digital Operational Resilience Act

From Wikipedia, the free encyclopedia

The Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554 is a European Union regulation.[1][2] It requires financial entities to improve their digital operational resilience.

Aim

[edit]

DORA aims to improve the digital operational resilience of financial entities in the EU and their ICT suppliers and create a uniform regulatory framework across the EU, in order to reduce the susceptibility to cyber threats across the entire value chain of the financial sector. In addition, DORA intends to harmonize national regulations regarding the security of IT systems in the financial sector, thus strengthening the European financial market as a whole against cyber risks and information and communications technology incidents.

Scope

[edit]

The regulation applies to financial entities and third-party suppliers of ICT services. Article 2 defines financial entities as:

  • credit institutions
  • payment institutions
  • account information service providers
  • electronic money institutions
  • investment firms
  • crypto-asset service providers and issuers of asset-referenced tokens
  • central securities depositories
  • central counterparties
  • trading venues
  • trade repositories
  • managers of alternative investment funds
  • management companies
  • data reporting service providers
  • insurance and reinsurance undertakings
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
  • institutions for occupational retirement provision
  • credit rating agencies
  • administrators of critical benchmarks
  • crowdfunding service providers
  • securitisation repositories

The regulation explicitly does not apply to:

  • managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU
  • insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC
  • institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total
  • natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU
  • insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises
  • post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU

Proportionality principle

[edit]

Article 4 defines the proportionality principle, resulting in some exceptions for smaller enterprises which fall within the scope of the regulation despite their size. This allows for a simplified implementation of certain requirements in accordance with the overall risk profile of the enterprise. An example for this is the simplified ICT risk management framework according to Article 16 in combination with a regulatory technical standard (RTS).

Structure

[edit]

The regulation comprises 64 articles divided into 9 chapters:

  1. General provisions (Art. 1–4)
  2. ICT risk management (Art. 5–16)
  3. ICT-related incident management, classification and reporting (Art. 17–23)
  4. Digital operational resilience testing (Art. 24–27)
  5. Managing of ICT third-party risk (Art. 28–44)
  6. Information-sharing arrangements (Art. 45)
  7. Competent authorities (Art. 46–56)
  8. Delegated acts (Art. 57)
  9. Transitional and final provisions (Art. 58–64)

In addition, the European Supervisory Authorities develop regulatory and implementing technical standards (RTS and ITS), which, being published in the Official Journal of the European Union, also become legally binding:

Type Subject DORA reference Implemented Status
RTS ICT risk management framework Art. 15 Commission Delegated Regulation (EU) 2024/1774 In force
RTS Simplified ICT risk management framework Art. 16 (3) Commission Delegated Regulation (EU) 2024/1774 In force
RTS Classification of ICT-related incidents and cyber threats Art. 18 (3) Commission Delegated Regulation (EU) 2024/1772 In force
RTS Content of the reports for major ICT-related incidents Art. 20 (a) Adopted October 23, 2024; pending publication in Official Journal
ITS Standard forms, templates and procedures for financial entities to report a major ICT-related incident Art. 20 (b) Final draft published July 17, 2024
RTS Threat-led penetration testing Art. 26 (11) Final draft published July 17, 2024
ITS Standard templates for the purposes of the register of information Art. 28 (9) Draft rejected by the Commission on September 3, 2024
RTS Policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (third-party policy) Art. 28 (10) Commission Delegated Regulation (EU) 2024/1773 In force
RTS Specification of elements when subcontracting ICT services supporting critical or important functions Art. 30 (5) Final draft published July 26, 2024
Guidelines Cooperation between the ESAs and the competent authorities regarding the structure of the oversight framework Art. 32 (7) Published November 6, 2024
RTS Harmonisation of conditions enabling the conduct of the oversight activities Art. 41 Adopted October 24, 2024; pending publication in Official Journal

Impact

[edit]

DORA will have an impact on pension schemes. Pension schemes having more than 15 but fewer than 100 members will be subject to a simplified ICT risk management framework. [3]

References

[edit]
  1. ^ Pattison, Andrew. A Guide to the EU Digital Operational Resilience Act. Walter de Gruyter. ISBN 9781787784536.
  2. ^ Rodenburg-Luitse, Willemijn (2023-01-25). "EU neemt met Dora baanbrekende it-wetgeving aan". Computable.nl (in Dutch). Retrieved 2024-05-21.
  3. ^ "Exploring DORA's Impact on Pension Schemes". Mason Hayes Curran. Retrieved 12 December 2024.
[edit]