The EU’s Digital Operational Resilience Act Comes Into Effect

Quick Hits

• The EU Digital Operational Resilience Act (DORA) aims to enhance security and resilience for financial institutions across Europe, protecting them from severe operational disruptions, such as cyberattacks or information and communication technology (ICT) incidents.
• DORA applies to a wide range of financial entities, including banks, insurance companies, investment firms, credit agencies, crypto-asset service providers, and ICT third-party service providers used within the financial sector.
• The European Supervisory Authorities (ESAs) have the authority to impose fines for noncompliance as of January 17, 2025.

DORA applies to financial entities operating within the EU and their critical third-party technology service providers supporting them, including those outside the EU. Under DORA’s mandate, financial market participants are subject to strict and complex requirements for various aspects of ICT risk management. These obligations range from reporting and incident management to resilience testing and third-party risk management.

Key Measures

Financial entities within the scope of DORA must adopt and comply with obligations, including the following:

• Developing and maintaining a comprehensive ICT risk management framework capable of classifying, monitoring, preventing, or mitigating ICT-related risks, with regular reviews and internal audits.
• Establishing processes for reporting ICT-related or major incidents to the relevant supervisory authorities. National authorities will have to submit registers to ESAs by the end of April 2025.
• Developing and regularly reviewing ICT third-party risk management strategy, including mandatory provisions in contracts with ICT service providers and a registry of information documenting all existing contractual arrangements.
• Enforcing a digital operational resilience testing program that includes a range of assessments and tools.
• Encouraging financial entities to share information and intelligence about known cybersecurity risks.

DORA will apply directly to service providers designated as critical to the sector. It is not anticipated that essential ICT third-party service providers will be designated under DORA before the third quarter of 2025. Nonetheless, any service provider that fulfils the requirements for a critical third-party service provider level 2 may want to evaluate its operational processes in accordance with DORA specifications.

DORA is not directly applicable in the United Kingdom; however, the provisions will apply to UK organisations that have operations or interactions within the EU. In the UK, on January 1, 2025, the Policy Statement 16/24 issued jointly by the Financial Conduct Authority and the Prudential Regulation Authority, “Operational resilience: Critical third parties to the UK financial sector,” took effect, implementing similar resilience requirements for critical third parties operating within the UK.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group and Technology Practice Group will continue to monitor developments and will provide updates on the Cross-Border, Cybersecurity and Privacy, and Technology blogs as additional information becomes available.

Simon J. McMenemy is the managing partner of the London office of Ogletree Deakins, and he is co-chair of the firm’s Cybersecurity and Privacy Practice Group.

Lorraine Matthews is a data protection and cybersecurity practice assistant in the London office of Ogletree Deakins.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts