The DORA regulation (Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector) is an essential piece of European legislation aiming to bolster cybersecurity within the EU.
In this effort, it joins the NIS2 directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union). While several types of financial institutions fall under the NIS2 directive, it is primarily DORA that aims specifically at enhancing the operational resilience of the financial sector while establishing a comprehensive framework to ensure that all financial entities regulated under DORA can withstand, respond to, and recover from disruptions and threats related to information and communications technology (ICT).
Supplementing other regulatory frameworks mandated by the EU, DORA (along with NIS2) introduces a unified set of standards for digital operational resilience that regulated financial entities must integrate into their risk management strategies following its applicable date of January 17, 2025.
To Whom Does the Regulation Apply?
To establish a high level of cybersecurity within the EU’s financial system, European legislators decided to include a wide range of financial institutions that will be required – to a greater or lesser extent – to apply the rules and standards introduced by DORA. The list of obliged entities under DORA includes, among others: credit institutions, investment firms, insurance and reinsurance undertakings, payment and electronic money institutions, managers of alternative investment funds, UCITS management companies, crypto-asset service providers, crowdfunding service providers, and ICT third-party service providers.
The entities subject to DORA are recognized as essential to the infrastructure and security of the EU’s financial system. As such, they are expected to maintain a high level of digital operational resilience to protect both the financial markets as well as their participants.
Obligations Under DORA
Entities subject to DORA are expected to comply with a range of requirements imposed by the regulation, including various technical, organizational, and legal measures. The core obligations to be implemented by the respective entities include: (a) ICT risk management, (b) reporting of cybersecurity incidents to competent authorities, including the establishment of communication channels, (c) regular testing of the digital operational resilience, (d) regular training of employees and managers, and (e) management of risks related to third-party service providers (including setting up key contractual provisions with such providers).
In addition to these core obligations, financial institutions may also (under certain conditions) enter into information-sharing arrangements on cyberthreat information and intelligence, which should further solidify security and cyberthreat awareness across the EU through the sharing of experience with various cyberattacks and their practical solutions.
Czech Implementation of the EU Cybersecurity Regulation
The upcoming Czech implementation of the EU’s cybersecurity regulation comprises several specifics. There is currently a new draft act on cybersecurity being discussed in the Czech Parliament that should implement NIS2 into the Czech legislation and replace the current Act on Cybersecurity that has been in force since 2014. On top of various additional requirements and obligations introduced specifically by the Czech legislator, the draft act also includes several financial institutions in addition to those that are already included under the NIS2, namely payment institutions and e-money institutions, provided they meet specific payment volume criteria.
In addition to the draft Act on Cybersecurity, a new draft Act on Digital Finance has also been introduced, aiming at implementing – or, more specifically, further expanding – the DORA regulation as well as the MICA regulation (Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets) into Czech law. The Act on Digital Finance establishes the Czech National Bank (CNB) as the supervisory authority in relation to the cybersecurity of financial institutions under DORA, with the power to impose remedial measures and fines on the institutions under its supervision. Furthermore, as the general supervisory authority responsible for cybersecurity-related matters will be the Czech National Cyber and Information Security Agency (NCISA), it may in practice pose certain supervisory issues, as several types of financial institutions may fall under the supervision of both the NCISA and the CNB.
By Ondrej Havlicek, Partner, and Martin Svoboda, Associate, Schoenherr
This article was originally published in Issue 11.12 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
