Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”), which establishes a uniform set of requirements relating to the security of network and information systems supporting financial system participants’ business processes, is now live as of 17 January 2025, without any transitional provision.
A wide range of rules applicable for managing ICT risks, including risks linked to ICT third-party service providers, is now in force. DORA applies to nearly all financial entities regulated in the EU, with very few exemptions for smaller institutions. For the first time, it also covers major unregulated ICT third-party service providers; a significant shift in European financial regulation.
In particular, DORA requires financial firms to:
- have internal governance and control frameworks that ensure they manage all ICT risks effectively;
- have a robust ICT risk management framework that enables them to address ICT risk;
- report major ICT-related incidents and notify significant cyber threats to their competent authorities;
- carry out digital operational resilience testing (see Digital Operational Resilience Testing);
- manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework; and
- share information and intelligence about cyber threats and vulnerabilities.
DORA also lays down rules for the establishment and conduct of a new oversight framework for critical ICT third-party service providers (which includes many of the large technology companies) when they provide services to the firm.
