/ Business Security (all-in-one), EU Cybersecurity Legislation Compliance / By

DORA: Regulation on Digital Operational Resilience for the Financial Sector

DORA is the Regulation on digital operational resilience for the financial sector which entered into force in December 2022. It introduces new ICT risk requirements, but also consolidates and upgrades existing ones. 

Compliance deadline is January 2025.

The new requirements apply to the following financial entities: 

(a) credit institutions;
(b) payment institutions;
(c) account information service providers;
(d) electronic money institutions;
(e) investment firms;
(f) crypto-asset service providers;
(g) central securities depositories;
(h) central counterparties;
(i) trading venues;
(j) trade repositories;
(k) managers of alternative investment funds;
(l) management companies;
(m) data reporting service providers;
(n) insurance and reinsurance undertakings;
(o) insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries;
(p) institutions for occupational retirement provision;
(q) credit rating agencies;
(r) administrators of critical benchmarks;
(s) crowdfunding service providers;
(t) securitization repositories;
(u) ICT third-party service providers

ICT third-party providers are, for instance, telecommunication networks, software providers, hardware providers, cloud computing providers – all these companies, providing services to the financial entities listed above, fall within the scope of DORA.

DORA refers to ICT risk via targeted rules on ICT risk-management capabilities, incident reporting, operational resilience testing (including pen-testing) and ICT third-party risk monitoring. Its key requirements focus on 5 pillars: ICT Risk Management Framework; Gather information on vulnerabilities and cyber threats & incidents; ICT-related incident management, classification, and reporting; Managing ICT third-party risk; and Information-sharing arrangements.

On 17 January three Regulatory Technical Standards (RTS) were adopted: RTS on ICT Risk Management Framework and on simplified ICT Risk Management Framework, RTS on Classification of major incidents and significant cyber threats, and RTS to specify the policy on ICT services supporting critical or important functions.Follow us for the latest updates in the field & contact us for a free consultation at info@cyen.eu.