Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA), is a European Union regulation aimed at enhancing the digital operational resilience of financial entities. It was adopted on December 14, 2022, and will apply from January 17, 2025.
The main objectives of the DORA Regulation are:
- Improve digital resilience: Ensure that financial entities in the EU are capable of withstanding and effectively responding to incidents related to information and communication technology (ICT).
- Harmonize regulations: Create a unified regulatory framework for managing ICT risks in the financial sector across the EU.
- Reduce vulnerability: Decrease susceptibility to cyber threats along the entire value chain of the financial sector.
The Regulation applies to a wide range of financial entities and ICT service providers, including:
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
- Investment firms
- Crypto-asset service providers
- Central counterparties
- Central securities depositories
- Trading venues
- Alternative investment fund managers
- Insurance and reinsurance companies.
The main requirements of the Regulation include:
- ICT risk management: Financial entities must implement an ICT risk management framework, including policies, procedures, and tools to identify, protect, detect, respond to, and recover from ICT incidents.
- ICT incident management: Entities must classify and report significant ICT incidents to the competent authorities.
- Digital operational resilience testing: Entities must conduct periodic tests to assess their digital operational resilience.
- Third-party ICT risk management: Entities must manage risks associated with third-party ICT service providers, including contracts and continuous monitoring.
The DORA Regulation came into force on January 16, 2023, and its provisions will apply from January 17, 2025.
Official Regulation here: Regulation 2022/2554 – EN – EUR-Lex