On 28 November 2022, the Council of the European Union ("EU") (the "Council") adopted the Digital Operational Resilience Act ("DORA"), the final step in the legislative approval process, having been adopted by the European Parliament on 10 November 2022.
Background to DORA
DORA was part of a larger digital finance package published by the European Commission (the "Commission") in September 2020, which, in addition to DORA, contained a digital finance strategy; a retail payments strategy for the EU; and a proposed regulation on crypto-assets ("MiCA").
The Commission's rationale for proposing DORA in particular, related to the:
- increased risks arising from the financial services' sector reliance on Information Communication Technologies ("ICT");
- lack of harmonised EU-level rules on digital operational resilience and the consequent, fragmented and inconsistent rules at member state level.
Additionally, DORA is consistent with the wider efforts at an EU level to strengthen cybersecurity and broader operational risks.
What is DORA?
DORA creates a regulatory framework on digital operational resilience whereby all EU financial entities are required to ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. In particular, DORA:
- enhances and streamlines the financial entities’ conduct of ICT risk management;
- establishes a thorough testing of ICT systems, increases supervisors’ awareness of cyber risks and ICT-related incidents faced by financial entities;
- introduces powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers;
- creates a consistent incident reporting mechanism that will help reduce administrative burdens for financial entities; and
- strengthens supervisory effectiveness.
Application of DORA
DORA applies to a wide range of financial firms (as detailed in the below table), as well as critical third parties which provide ICT-related services to these firms. Importantly, DORA does acknowledge that there are differences between these firms in terms of size and overall exposure to digital risk and therefore adopts a proportionate application of the rules.
|Electronic money institutions|
|Insurance and reinsurance undertakings including intermediaries and ancillary intermediaries|
|Crowdfunding service providers|
|Crypto-asset service providers|
|Credit rating agencies|
|Account information service providers|
|Administrators of critical benchmarks|
|Data reporting service providers|
|Central securities depositories|
|Trading venues Central counterparties|
|AIFMs and UCITS Management Companies|
As mentioned above, the adoption of the final text by the Council is the final step in the legislative process. DORA will now be published in the Official Journal of the EU (the "OJ") and will come into force on the twentieth day following that of its publication in the OJ. DORA will apply 24 months from the date of its entry into force. During this 24 month period, the European Supervisory Authorities will develop technical standards for the financial services institutions under their supervision in respect of the application of DORA. In the normal manner, national competent authorities will be responsible for compliance oversight and enforcement of DORA.
Impacted firms will now need to conduct a gap analysis of the requirements as against their current processes and procedures to identify the extent of the work required to ensure compliance with DORA.
With regards to the interaction between DORA and the Central Bank of Ireland's Operational Resilience Guidelines, please see Matheson LLP's Insight entitled "Understanding the interaction between DORA and the Central Bank's Operational Resilience Guidance".
This article was co-authored by partners Joe Beashel, Louise Dobbyn, Darren Maher, Gráinne Callanan, Niamh Mulholland, Elaine Long and professional support lawyer Claire Scannell. Should you have any queries in respect of the above, please do not hesitate to contact any member of Matheson LLP's Financial Institutions Group or your usual Matheson LLP contact.