The EU’s Digital Operational Resilience Act 2022/2554 (DORA)
Financial regulators have long faced the challenge of ensuring stability in financial markets, especially given the growing reliance on third-party systems, technology, and platforms. The integration of cloud solutions has heightened these complexities, and the potential risk to financial markets increases if a technology provider experiences a cyber incident.
In today’s interconnected financial ecosystem, long chains of IT subcontractors can make it difficult for institutions to fully understand the vulnerabilities in their systems. This is further complicated when key functions are outsourced to entities without direct contractual ties to the financial institution.
The EU introduced the Digital Operational Resilience Act (DORA) with these issues in mind. DORA mandates that financial institutions identify ICT services supporting critical functions and strengthen their contractual protections. It became effective in January 2023, and affected financial entities and ICT providers have until January 2025 to ensure full compliance. After that, regulators will have the power to impose fines and require firms to remedy security vulnerabilities.
DORA has implications beyond the EU, as it also applies to non-EU companies providing ICT services to EU-based financial institutions.
Key stakeholders in the financial industry must prepare for compliance by aligning their contracts with the new standards, as non-compliance can result in severe penalties, including fines, sanctions for board members, reputational damage, and even criminal liability.
Key Dates:
- January 2023: DORA came into force.
- January 2024: Technical standards to be finalized.
- July 2024: Final set of standards published.
- January 2025: Full compliance required.
Who Will Be Affected?
DORA applies to a broad range of financial entities, such as banks, investment firms, and insurance companies, as well as certain ICT service providers who meet specific criteria outlined in the regulation. Some providers will be classified as critical, subjecting them to oversight by EU regulatory authorities.
ICT Services Defined:
ICT services encompass digital and data services provided via IT systems, including hardware, software, and support services. Critical providers are identified based on their impact on the stability and quality of financial services.
Impact and Compliance:
Financial institutions must ensure robust ICT risk management frameworks, incident reporting protocols, and resilience testing. Contracts with third-party ICT providers must meet DORA’s standards, including pre-contractual due diligence, monitoring service levels, and planning for termination or exit strategies.
While DORA applies to the EU, it has a similar counterpart in the UK, with regulations designed to align with global standards on operational resilience. Firms in both regions should ensure they meet impact tolerances for critical services by March 2025.
With the compliance deadline fast approaching, it is crucial for affected organizations to identify gaps in their processes, update their policies, and negotiate contracts that reflect the new requirements.
In case you have any questions or need any assistance, please do not hesitate to contact us for further professional assistance.
Disclaimer: The information contained in this article is provided for informational purposes only, and should not be construed as legal advice on any matter. Andria Papageorgiou Law Firm is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this article and in no event shall be liable for any damages resulting from reliance on or use of this information.
Latest Posts
A Quick Guide to IP Rights for Fintech Companies in Cyprus
A. IP Protection for Software Under Cyprus law, software or computer programs are considered literary works protected by copyright, specifically under...
New Rules for Crypto-Asset Service Providers (CASPs) in Cyprus: Key Updates
The Cyprus Securities and Exchange Commission (CySEC) has made an important announcement regarding regulating Crypto-Asset Service Providers (CASPs). Here’s...
The EU’s Digital Operational Resilience Act 2022/2554 (DORA)
Financial regulators have long faced the challenge of ensuring stability in financial markets, especially given the growing reliance on third-party systems,...