The Digital Operational Resilience Act (DORA) is a central component of the EU’s Digital Finance Package. The aim is to enhance information and communications technology (ICT) security and digital operational resilience in the financial sector. Financial institutions and ICT service providers have until January 17, 2025, to fully implement the requirements.
What Is DORA?
DORA creates a unified legal framework to boost financial institutions’ resilience against digital threats in the EU. It applies to most regulated financial institutions, including investment firms, credit and payment institutions, and third-party ICT service providers. Specialized financial institutions with simplified risk management and microenterprises are mostly exempt. The principle of proportionality ensures implementation varies based on size, risk profile, and the complexity of services and operations.
DORA introduces new compliance requirements for financial institutions. Management must oversee ICT risk management, establish governance frameworks, monitor IT risks continuously, and prepare for emergencies. Standardized regulations mandate handling IT disruptions with strict reporting of incidents and regular IT audits.
To prepare for ICT-related incidents, DORA mandates an extensive testing framework to prepare for ICT-related incidents. In particular, institutions in the scope of DORA must maintain and review a robust and comprehensive IT resilience testing program, including threat-led penetration testing to address vulnerabilities. These tests can be carried out by independent internal or external parties. In the case of internal testers, conflicts of interest must be ruled out.
Additionally, DORA is not only applicable to institutions but also covers certain third-party service providers, being undertakings that are providing ICT services to institutions on an ongoing basis. DORA also has extraterritorial reach, requiring entities outside of the EEA that provide ICT services to institutions within the EEA to comply with its regulations. A significant aspect of DORA in this context involves specifying contractual terms that must be included in agreements with ICT suppliers.
While DORA will be implemented alongside existing regulatory guidelines of similar nature (particularly the EBA Outsourcing Guidelines) and essentially elevates some of the rules contained in these guidelines to directly applicable law, there are currently some distinctions between these two frameworks. The EBA is already working on a gap analysis and an update of the EBA Outsourcing Guidelines is expected to be published early next year.
What Challenges Need To Be Considered During Implementation?
DORA requires extensive adjustments to internal processes, risk management, and IT infrastructure by means of investing in new processes and technologies. Small to medium-sized companies can face challenges with providing the necessary human and financial resources to fulfill the requirements. Another difficulty is the process of harmonizing requirements for third-party providers. To date, there are no uniform market standards in this area, particularly among international ICT service providers, which will be very important due to the dependence on external ICT services.
What Are the Benefits?
DORA will significantly enhance protection against cyberattacks, thereby bolstering customer confidence in the financial sector. The framework places a strong emphasis on transparency and accountability, ensuring that customers are well-informed about the operational resilience of financial service providers. This is further underscored by the stringent incident reporting requirements mandated by DORA.
The regulation is also anticipated to foster close collaboration between ICT service providers and financial institutions. This partnership is expected to drive technological innovation, merging the traditional expertise of banking units with the cutting-edge advancements of ICT service providers. This synergy will likely result in superior digital solutions for financial service customers, enhancing the overall quality and reliability of financial services.
Supervision and Sanctions
ICT third-party service providers critical for financial institutions will be supervised by the European Supervisory Authorities (ESAs), with one authority (EBA, ESMA, or EIOPA) as the lead. This designation is based on the institution’s primary financial supervision type. The lead supervisory authority has the right to obtain information, conduct investigations, request the preparation of reports, and make recommendations in order to fulfill its duties.
Financial companies must comply with the DORA framework, which will be monitored by the national competent authorities (e.g., the FMA in Austria). National competent authorities can impose administrative penalties for breaches, defined by national law. Member States may also impose criminal sanctions, ensuring cooperation between law enforcement and the ESAs, with guaranteed information exchange. In Austria, the DORA Implementation Act will take effect on January 17, 2025, imposing administrative penalties of up to EUR 150,000 on officers and managers, and the higher of EUR 500,000 or 1% of annual turnover on institutions.
By Robert Wippel, Partner, and Balint Ozsvar, Associate, Baker McKenzie Austria
This article was originally published in Issue 11.12 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.
