Regulation (EU) 2022/2554 (Digital Operational Resilience Act – "DORA") entered into law on 17 January 2023. DORA will not only apply to most regulated financial institutions, including crypto asset service providers, but also to critical third-party information and communications technology ("ICT") providers, like cloud computing providers.
DORA's primary objective is to ensure a high level of digital operational resilience against cyber risks. As such, DORA introduces new governance structures as well as internal systems and control requirements for financial entities. The regulation stipulates the management body's responsibility for a governance and control framework and ultimate accountability for the entity's ICT risk. Financial sector entities are required to establish policies, procedures and protocols to ensure the security, resilience and continuity of their IT systems. This includes incident management to ensure the monitoring of ICT-related incidents and the reporting of major incidents to the relevant authorities. Furthermore, to prepare for incidents and to identify weaknesses, this involves periodic testing of the resilience of IT systems and processes and the implementation of corrective measures. A major challenge towards DORA compliance will be managing third-party risk, which covers not only the ICT risk management framework, but also requires outsourcing agreements to comply with DORA and its contracting requirements.
Even though DORA enters into force only two years from now (on 17 January 2025), the schedule is tight given the time necessary for financial entities to adapt their processes, procedures and systems and remediate any contracts with ICT service providers. To nudge regulated institutions towards compliance and in preparation for DORA, the FMA has announced in their annually published supervisory priorities that it will focus on ICT risks, their risk management and governance in 2023 (see our summary of the FMA supervisory priorities for 2023 here).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.