DORA: Why it is relevant & why is it relevant to you?
The Digital Operational Resilience Act (DORA) is a significant development in EU regulation, compelling financial entities to ensure consistent cybersecurity and operational resilience maturity levels across all their operations within the EU. With a two-year preparatory phase, organizations face a significant task of implementation and demonstration of compliance.
To navigate this transition effectively, financial institutions must conduct comprehensive gap assessments to gauge their readiness vis-à-vis DORA, identifying areas necessitating further investment and prioritization. Proactively addressing these gaps positions businesses to meet more complex requirements such as supply risk management, threat intelligence, and advanced security testing, thus gaining a competitive edge in the market.
DORA marks a substantial shift for entities under ESMA or EIOPA supervision and banks already subject to existing EBA guidelines on banking supervision. Moreover, it extends its scope to encompass previously less regulated stakeholders in the financial sector, including crypto-asset service providers, intermediaries managing alternative investment funds, crowdfunding service providers, cloud-service providers, and ICT third-party service providers.
One of DORA’s key focuses is on third-party risk management, necessitating entities to ensure the resilience of their critical ICT third-party service providers. This requires close collaboration and joint efforts to satisfy regulatory expectations, particularly in supporting the delivery of essential business services.
DORA officially entered into force at the beginning of 2023, initiating a two-year implementation period. Financial entities are thus expected to achieve compliance with the regulation by early 2025. As this deadline approaches, proactive engagement with DORA compliance becomes essential to avoid penalties and maintain operational continuity.
In light of these developments, Andria Papageorgiou Law Firm is committed to assisting organizations in navigating the complexities of DORA compliance. With our outsourced DPO services and regulatory compliance consulting, tailored to address the specific requirements of DORA, we ensure that businesses are well-equipped to meet regulatory obligations and uphold operational resilience in an evolving digital landscape.
Contact us today at [email protected] to learn more about how we can support your journey toward DORA compliance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
ESAs public consultation on DORA
We would like to draw your attention that the European Supervisory Authorities (EBA, EIOPA, and ESMA – the ESAs) launched yesterday, 19th of June 2023, a public consultation on the first batch of policy products under the DORA.
This includes four draft regulatory technical standards (RTS) and one set of draft implementing technical standards (ITS). These technical standards aim to ensure a consistent and harmonized legal framework in the areas of ICT risk management, major ICT-related incident reporting, and ICT third-party risk management.
DORA entered into force on the 16th of January 2023 and will apply from the 17th of January 2025 aiming to enhance the digital operational resilience of entities across the EU sector and to further harmonize key digital operational resilience requirements for all EU financial entities.
This regulatory framework covers key areas such as:
- ICT risk management,
- ICT-related incident management and reporting,
- digital operational resilience testing and
- management of ICT third-party risk.
DORA has mandated the ESAs to jointly develop altogether 13 policy instruments in two batches. The first batch of technical standards, are the following:
- RTS on ICT risk management framework and RTS on simplified ICT risk management framework;
- RTS on criteria for the classification of ICT-related incidents;
- ITS to establish the templates for the register of information;
- RTS to specify the policy on ICT services performed by ICT third-party providers.
The ESAs expect to submit these draft technical standards to the European Commission by 17 January 2024.
Comments to this consultation can be sent to the ESAS by the 11th of September 2023.
Should you have any further questions, please do not hesitate to contact us at [email protected].
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as financial or investment or legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.