Countdown to DORA: The Regulation applies from 17 January 2025

On 27 December 2022 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector [1] (the “Regulation” or “DORA”) and Amending Directive (EU) 2022/2556[2] (the “Amending Directive”) were published on the Official Journal of the EU and will enter into force on 16 January 2023. The Regulation will apply from 17 January 2025. Member States are required to adopt the measures necessary to comply with the Amending Directive also by 17 January 2025.

DORA represents the EU’s response to the ever-increasing number of cyberattacks against financial institutions. It’s designed to strengthen the security of EU financial firms (the umbrella term “financial entities” is used), such as banks, insurance companies, payment and e-money institutions, investment firms, and more by imposing resilience requirements and regulating the supply chain. It is designed to ensure the services they provide are not disrupted by cyberattacks, outages or other risks to the integrity and continuity of those services.

DORA harmonises and consolidates key elements of existing digital resilience frameworks and standards within the EU[3] but it also introduces new requirements. Financial entities tend to outsource much of their IT and deal with complex architectures. It is also for this reason that DORA applies also to third party service providers of ICT services and impacts the contracts financial entities agree with those providers. The sharpened focus on third-party risk management is evident throughout DORA. The new regulation also brings into scope providers of critical information to the financial services sector such as credit rating, critical benchmarking and data reporting services as well as financial market infrastructure providers such as central securities depositories, central counterparties and trading venues.

Broadly, DORA consists of requirements in five main areas:

  • ICT risk management.
  • ICT incident reporting.
  • Digital operational resilience testing.
  • ICT third-party risk management.
  • Information intelligence and sharing.

It is pertinent to note that DORA embraces the principle of proportionality and, thus, follows the approach found in many other regulations and in a sense, puts the onus back on the individual financial entity, to assess and justify the standard and extent of requirements that it needs to prepare for and eventually implement.

Critical to an efficient implementation of DORA will also be the awaited raft of Regulatory/Implementing Technical Standards and Guidelines which will supplement DORA. In Annex 1 to the MFSA Circular on the publication of DORA issued on the 4 January 2023,[4] the MFSA sets out in different delivery deadlines for the planned work in this regard until the applicability date of January 2025.

Compliance with DORA is undoubtedly no easy task and can be a “game changer”.  The various entities to whom DORA applies have a tight two-year preparatory term which should be used to undertake a gap analysis of their ICT risk management framework, including reviews of the internal governance structure and ICT risk and incident management and reporting mechanisms already in place. Entities should also reassess and renegotiate where necessary their agreements with third party ICT service providers to make them compliant with DORA. Entities are also to be prepared for increased supervisory engagement in this area: when the DORA enters into force considering that the Regulation provides supervisors with wider far-ranging mandates and powers. The real consideration for financial institutions is ultimately how they approach it – a compliance or “tick the box” exercise or a potential strategic opportunity.

[1] Which amends Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

[2] Which amends Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector

[3] To-date it does not appear that any existing laws or regulations or guidelines will be repealed, instead these would exist alongside DORA

[4] https://www.mfsa.mt/publications/circulars/supervisory-ict-risk-and-cybersecurity-circulars/