Digital Operational Resilience Act

Last updated December 26, 2024

The Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554 is a European Union regulation.^[1]^[2] It requires financial entities to improve their digital operational resilience.

Aim

DORA aims to improve the digital operational resilience of financial entities in the EU and their ICT suppliers and create a uniform regulatory framework across the EU, in order to reduce the susceptibility to cyber threats across the entire value chain of the financial sector. In addition, DORA intends to harmonize national regulations regarding the security of IT systems in the financial sector, thus strengthening the European financial market as a whole against cyber risks and information and communications technology incidents.

Scope

The regulation applies to financial entities and third-party suppliers of ICT services. Article 2 defines financial entities as:

credit institutions
payment institutions
account information service providers
electronic money institutions
investment firms
crypto-asset service providers and issuers of asset-referenced tokens
central securities depositories
central counterparties
trading venues
trade repositories
managers of alternative investment funds
management companies
data reporting service providers
insurance and reinsurance undertakings
insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
institutions for occupational retirement provision
credit rating agencies
administrators of critical benchmarks
crowdfunding service providers
securitisation repositories

The regulation explicitly does not apply to:

managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU
insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC
institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total
natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU
insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises
post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU

Proportionality principle

Article 4 defines the proportionality principle, resulting in some exceptions for smaller enterprises which fall within the scope of the regulation despite their size. This allows for a simplified implementation of certain requirements in accordance with the overall risk profile of the enterprise. An example for this is the simplified ICT risk management framework according to Article 16 in combination with a regulatory technical standard (RTS).

Structure

The regulation comprises 64 articles divided into 9 chapters:

General provisions (Art. 1–4)
ICT risk management (Art. 5–16)
ICT-related incident management, classification and reporting (Art. 17–23)
Digital operational resilience testing (Art. 24–27)
Managing of ICT third-party risk (Art. 28–44)
Information-sharing arrangements (Art. 45)
Competent authorities (Art. 46–56)
Delegated acts (Art. 57)
Transitional and final provisions (Art. 58–64)

In addition, the European Supervisory Authorities develop regulatory and implementing technical standards (RTS and ITS), which, being published in the Official Journal of the European Union, also become legally binding:

Type	Subject	DORA reference	Implemented	Status
RTS	ICT risk management framework	Art. 15	Commission Delegated Regulation (EU) 2024/1774	In force
RTS	Simplified ICT risk management framework	Art. 16 (3)	Commission Delegated Regulation (EU) 2024/1774	In force
RTS	Classification of ICT-related incidents and cyber threats	Art. 18 (3)	Commission Delegated Regulation (EU) 2024/1772	In force
RTS	Content of the reports for major ICT-related incidents	Art. 20 (a)		Adopted October 23, 2024; pending publication in Official Journal
ITS	Standard forms, templates and procedures for financial entities to report a major ICT-related incident	Art. 20 (b)		Final draft published July 17, 2024
RTS	Threat-led penetration testing	Art. 26 (11)		Final draft published July 17, 2024
ITS	Standard templates for the purposes of the register of information	Art. 28 (9)		Draft rejected by the Commission on September 3, 2024
RTS	Policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers (third-party policy)	Art. 28 (10)	Commission Delegated Regulation (EU) 2024/1773	In force
RTS	Specification of elements when subcontracting ICT services supporting critical or important functions	Art. 30 (5)		Final draft published July 26, 2024
Guidelines	Cooperation between the ESAs and the competent authorities regarding the structure of the oversight framework	Art. 32 (7)		Published November 6, 2024
RTS	Harmonisation of conditions enabling the conduct of the oversight activities	Art. 41		Adopted October 24, 2024; pending publication in Official Journal

Impact

DORA will have an impact on pension schemes. Pension schemes having more than 15 but fewer than 100 members will be subject to a simplified ICT risk management framework.^[3]

Related Research Articles

Banking regulation and supervision refers to a form of financial regulation which subjects banks to certain requirements, restrictions and guidelines, enforced by a financial regulatory authority generally referred to as banking supervisor, with semantic variations across jurisdictions. By and large, banking regulation and supervision aims at ensuring that banks are safe and sound and at fostering market transparency between banks and the individuals and corporations with whom they conduct business.

Basel II is the second of the Basel Accords, which are recommendations on banking laws and regulations issued by the Basel Committee on Banking Supervision. It is now extended and partially superseded by Basel III.

The Undertakings for Collective Investment in Transferable Securities Directive is a EU directive that allows collective investment schemes to operate freely throughout the EU on the basis of a single authorisation from one member state. EU member states are entitled to have additional regulatory requirements for the benefit of investors.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks.^{While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.}

Solvency II Directive 2009 is a Directive in European Union law that codifies and harmonises the EU insurance regulation. Primarily this concerns the amount of capital that EU insurance companies must hold to reduce the risk of insolvency.

A non-banking financial institution (NBFI) or non-bank financial company (NBFC) is a financial institution that is not legally a bank; it does not have a full banking license or is not supervised by a national or international banking regulatory agency. NBFC facilitate bank-related financial services, such as investment, risk pooling, contractual savings, and market brokering. Examples of these include hedge funds, insurance firms, pawn shops, cashier's check issuers, check cashing locations, payday lending, currency exchanges, and microloan organizations.

The European Insurance and Occupational Pensions Authority (EIOPA) is a European Union financial regulatory agency. It was established in 2011 under Regulation (EU) No 1094/2010.

The Financial Services Board (FSB) was the government of South Africa's financial regulatory agency responsible for the non-banking financial services industry in South Africa from 1990 to 2018. On 1 April 2018, its responsibilities were split into two new agencies the Financial Sector Conduct Authority (FSCA) for conduct regulation and the Prudential Authority (PA) for prudential regulation.

The European Banking Authority (EBA) is a regulatory agency of the European Union headquartered in La Défense, Île-de-France. Its activities include conducting stress tests on European banks to increase transparency in the European financial system and identifying weaknesses in banks' capital structures.

The Institutions for Occupational Retirement Provision Directive2016/2341 is a European Union Directive designed to create an internal market for occupational retirement provision. It lays down minimum standards on funding pension schemes, the types of investments pensions may make and permits cross-border management of pension plans.

<span class="mw-page-title-main">Financial Services and Markets Authority (Belgium)</span> Regulatory agency

The Financial Services and Markets Authority (FSMA) is the financial regulatory agency in Belgium.

At the heart of the prudential Solvency II directive, the own risk and solvency assessment (ORSA) is defined as a set of processes constituting a tool for decision-making and strategic analysis. It aims to assess, in a continuous and prospective way, the overall solvency needs related to the specific risk profile of the insurance company. Risk Management and own risk and solvency assessment is a similar regulation that has been enacted in the US by the NAIC. Other jurisdictions are enacting similar regulations to comply with the Insurance Core Principle 16 enacted by the IAIS.

In financial services, open banking allows for financial data to be shared between banks and third-party service providers through the use of application programming interfaces (APIs). Traditionally, banks have kept customer financial data within their own closed systems. Open banking allows customers to share their financial information securely and electronically with other banks or other authorized financial organizations such as payment providers, lenders and insurance companies.

<span class="mw-page-title-main">European company law</span>

European company law is the part of European Union law which concerns the formation, operation and insolvency of companies in the European Union. The EU creates minimum standards for companies throughout the EU, and has its own corporate forms. All member states continue to operate separate companies acts, which are amended from time to time to comply with EU Directives and Regulations. There is, however, also the option of businesses to incorporate as a Societas Europaea (SE), which allows a company to operate across all member states.

The Pan-European Pension Product (PEPP) or like Pan-European Personal Pension Product is a proposed pension which will be available to residents of the European Union. The PEPP is designed to give the 240 million savers in the EU a better choice in the fragmented and uneven European market, where options are nearly non-existent in some member states. PEPPs are regulated by the Regulation 2019/1238. This regulation lays the legal foundation for a single European market for personal pensions. The PEPP will be complementary to existing state, occupational and private pension systems on national level. After endorsement by the European Parliament and official adoption by the European Council the PEPP regulation was published in July 2019 and will enter into application in August 2020. The first PEPPs are expected to be offered in late 2021.

The Capital Markets Union (CMU) is an economic policy initiative launched by the former president of the European Commission, Jean-Claude Juncker in the initial exposition of his policy agenda on 15 July 2014. The main target was to create a single market for capital in the whole territory of the EU by the end of 2019. The reasoning behind the idea was to address the issue that corporate finance relies on debt (i.e. bank loans) and the fact that capital markets in Europe were not sufficiently integrated so as to protect the EU and especially the Eurozone from future crisis. The Five Presidents Report of June 2015 proposed the CMU in order to complement the Banking union of the European Union and eventually finish the Economic and Monetary Union (EMU) project. The CMU is supposed to attract 2000 billion dollars more on the European capital markets, on the long-term.

The principle of equivalence in financial services at the European Union (EU) level is one of the instruments the Commission has at its disposal to carry out its international strategy for financial services. The principle of equivalence is materialised through an equivalence decision issued by the European Commission to a targeted country that it judges fit to have access to the European Market in financial services. The decision is unilateral, non-reciprocal and affects the targeted third country in regard to particular activities or services to which the decision is intended. The equivalence decision is issued through an assessment of the third country regulations in relation to particular services or activities in the EU. In order to do so, the Commission bases its decision on 40 provisions of EU law. Important to note, perhaps is the fact that not all have been availed but over 250 equivalence decisions were made targeting more than 30 countries worldwide.

Markets in Crypto-Assets (MiCA) is a regulation in European Union (EU) law. It is intended to help streamline the adoption of blockchain and distributed ledger technology (DLT) as part of virtual asset regulation in the EU, while protecting users and investors. MiCA was approved on 20 April 2023 by the EU Parliament but will not be fully applied until December 2024.

The anti-money laundering framework for financial institutions in France encompasses the key components of the country's regulations aimed at combating money laundering and terrorist financing. This framework includes the laws and regulations established for responsible parties, ensuring compliance with international initiatives.

Open finance is a concept and practice within the financial services industry that involves the secure sharing of financial data with third-party service providers through Application Programming Interfaces (APIs). Building upon the principles of open banking, which focuses primarily on banking data, open finance aims to give consumers and businesses greater control over their financial data, enabling them to access a wider range of financial products and services. This includes sharing data beyond traditional banking, encompassing areas like investments, pensions, mortgages, and insurance.

References

↑ Pattison, Andrew. A Guide to the EU Digital Operational Resilience Act. Walter de Gruyter. ISBN 9781787784536.
↑ Rodenburg-Luitse, Willemijn (2023-01-25). "EU neemt met Dora baanbrekende it-wetgeving aan". Computable.nl (in Dutch). Retrieved 2024-05-21.
↑ "Exploring DORA's Impact on Pension Schemes". Mason Hayes Curran. Retrieved 12 December 2024.

External links

Official website

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Pattison, Andrew. A Guide to the EU Digital Operational Resilience Act. Walter de Gruyter. ISBN 9781787784536.

[2] Rodenburg-Luitse, Willemijn (2023-01-25). "EU neemt met Dora baanbrekende it-wetgeving aan". Computable.nl (in Dutch). Retrieved 2024-05-21.

[3] "Exploring DORA's Impact on Pension Schemes". Mason Hayes Curran. Retrieved 12 December 2024.

[1]

[2]

[3]