澳门六合彩资料

Skip to main content
Share via Copy link

Digital Operational Resilience Act (DORA)

The financial sector has, in recent years, become increasingly reliant on information and communications technology (ICT) systems and on information in digital form to deliver financial services, such that it is now of critical importance to the operation of daily functions.

As the sector’s dependency on ICT has increased, so too has its vulnerability to cyber risk – which can not only impact the financial entity in question but also, due to the interconnectedness of the industry, impact other financial entities, sectors and even the wider economy. In response, the EU’s Digital Operational Resilience Act (DORA) has entered into force.

By 17 January 2025, financial entities and ICT third party service providers (ICT TPPs) will need to be compliant with DORA’s extensive requirements.

A key aspect of DORA is the requirement for financial entities to include certain contractual provisions in ICT service contracts entered into with ICT TPPs. Our experienced team of digital and sourcing lawyers are helping organisations with their contract remediation efforts. Please do contact us to find out how we can help you.

Contact us

Frequently asked questions

DORA is a comprehensive framework addressing the digital operational resilience needs of financial entities and establishing an oversight framework for ICT TPPs designated as 鈥榗ritical鈥 within the EU financial sector.

DORA consolidates and upgrades ICT risk management, creating uniform requirements for the security of network and information systems supporting business processes of financial entities.

DORA will apply across the EU single market and is directly applicable to:

  • A wide range of EU financial entities.
  • ICT TPPs designated as 鈥榗ritical鈥 (including those that are based outside of the EU providing services to financial entities) (CTTPs).

Whilst DORA will not apply directly to financial services firms in the UK, multi-national/UK financial services groups with EU operations will need to ensure that those financial entities are DORA compliant.

Each CTTP is subject to direct oversight by a European Supervisory Authority (鈥淓SA鈥). The oversight framework provides the relevant ESA with broad powers, including the ability to request information and carry out inspections and investigations to assess whether a CTTP has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage ICT risk it poses to financial entities.

Digital Operational Resilience Act timeline

Key dates and supplementary guidance for implementation.

DORA voted in the European plenary session.

DORA enters into force - two year implementation period.

(Date of final draft report:10 January 2024)

(Adopted: 22 February 2024)

(Adopted: 22 February 2024)

(Adopted: 13 March 2024)

(Adopted: 13 March 2024)

(Adopted: 13 March 2024)

(Date of final draft report: 17 July 2024)

(Date of final draft report: 17 July 2024)

(Date of final report: 17 July 2024)

(Date of final report: 17 July 2024)

(Date of final draft report: 17 July 2024

(Date of final draft report: 17 July 2024)

(Date of final draft report: 17 July 2024)

(Date of final draft report: 26 July 2024)

DORA applies to in-scope firms.

Five pillars of DORA

DORA’s requirements are comprehensive and fall into five broad key pillars, as indicated below. Each pillar has extensive requirements which need to be implemented by financial entities by 17 January 2025.

DORA five pillars summary

Financial entities must establish an ICT risk management framework (including procedures, strategies and policies) as well as frameworks related to governance and controls.

ICT risk management

Financial entities must establish and implement an ICT-related incident management process (includes detection, management and reporting).

Incident management, classification and reporting

Financial entities must regularly test their digital operational resilience with certain entities required to perform advanced threat led penetration testing for critical functions.

Digital operational resilience testing

Financial entities must comply with certain requirements related to its use of third-party service providers. A key element of this is the ICT contract remediation requirement, an area which is directly relevant to the legal function and where our experienced team at 澳门六合彩资料 can assist you.

Third-party risk management

Financial entities should be on the front foot in exchanging cyber threat information and intelligence amongst themselves. This includes indicators of compromise, tactics, techniques, and procedures, cyber security alerts, and configuration tools.

Information sharing

DORA’s requirements are comprehensive and fall into five broad key pillars, as indicated below. Each pillar has extensive requirements which need to be implemented by financial entities by 17 January 2025.

DORA five pillars summary

Financial entities must establish an ICT risk management framework (including procedures, strategies and policies) as well as frameworks related to governance and controls.

ICT risk management

Financial entities must establish and implement an ICT-related incident management process (includes detection, management and reporting).

Incident management, classification and reporting

Financial entities must regularly test their digital operational resilience with certain entities required to perform advanced threat led penetration testing for critical functions.

Digital operational resilience testing

Financial entities must comply with certain requirements related to its use of third-party service providers. A key element of this is the ICT contract remediation requirement, an area which is directly relevant to the legal function and where our experienced team at 澳门六合彩资料 can assist you.

Third-party risk management

Financial entities should be on the front foot in exchanging cyber threat information and intelligence amongst themselves. This includes indicators of compromise, tactics, techniques, and procedures, cyber security alerts, and configuration tools.

Information sharing

What should financial entities and ICT TPPs be doing now?

  1. Understand the extent to which the financial entity falls within scope of DORA and ensure DORA鈥檚 requirements are understood.
  2. Establish and/or amend all policies, processes, procedures and frameworks to meet DORA鈥檚 requirements by 17 January 2025.
  3. From a contractual remediation perspective, by 17 January 2025:
    1. identify and map ICT TPPs and contractual arrangements (including intra-group) to each financial entity (categorising those which support critical or important functions),
    2. collate existing contracts with ICT TPPs,
    3. engage with ICT TPPs, and
    4. amend ICT TPP contracts in line with DORA requirements.

  • Pro-actively prepare for financial entities amending existing contractual terms, which may include ICT TPPs issuing their own standard amendment documentation to financial entities.
  • Consider whether a CTTP designation is likely, and if so, understand actions needed to be taken to comply with DORA.

Contact our team