Key takeaways
Since 17 January 2025, entities across the financial sector must comply with the Digital Operational Resilience Act (DORA).
However, not all delegated and implementing regulations and guidelines under DORA are finalised and applicable, which complicates the compliance with these rules.
Financial entities should closely follow guidance from the European Commission, the European Supervisory Authorities and the relevant national competent authorities, to ensure satisfactory compliance with the framework.
DORA
On 17 January 2025, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (Digital Operational Resilience Act, DORA) entered into force. Since that date, Member States must also apply the national transpositions of Directive (EU) 2022/2556 (DORA Directive).
Summary of key rules
We published an in-depth client briefing on DORA in 2023 following its adoption. To recap, DORA introduces a digital operational resilience framework that applies to financial services providers across the EU financial sector, from payment institutions to fund managers and credit institutions. The Act also applies to ICT providers, both indirectly and directly, under certain conditions.
DORA is organized around five pillars:
- ICT risk management: Financial entities must have an internal governance and control framework in place that ensures an effective and prudent management of ICT risk. To this end, DORA sets out key principles and requirements. The framework also requires financial entities to implement a sound, comprehensive and well-documented ICT risk management framework (including strategies, policies, procedures, ICT protocols).
- ICT-related incident management, classification and reporting: Financial entities must put in place ICT-related incident management processes and procedures to detect, manage and notify ICT-related incidents. These incidents must also be comprehensively documented and classified, to ensure that ‘major’ ICT-related incidents must be reported to the relevant competent authority of the financial entity (as well as to the national CSIRT designated or established in accordance with the NIS2 Directive, where this is required by the Member State), and where applicable, their clients. Financial entities may also, voluntarily, notify significant cyber threats to the relevant competent authority.
- Digital operational resilience testing: Financial entities must maintain a digital operational resilience testing programme as part of the ICT risk-management framework, to identify weaknesses, deficiencies and gaps in digital operational resilience, among other purposes. The tests must be performed by independent parties. Financial entities identified as playing a systemic role have to perform advanced testing of underlying ICT systems, processes and technologies supporting critical or important functions and ICT services.
- Management of ICT third-party risk: DORA also sets out principle-based rules for the management of third-party risks by financial entities within the ICT risk management framework. In addition, financial entities must have in place contractual arrangements with ICT third-party service providers that feature specified key contractual provisions. Ancillary obligations include reporting and notification obligations to supervisory authorities, mandatory risk assessments and maintaining a register of all arrangements. DORA also imposes an oversight framework for those ICT third-party service providers designated by the European Supervisory Authorities as being critical to the financial sector
- Information-sharing arrangements on cyber threat information and intelligence: Finally, DORA lays down the requirements applicable to arrangements that financial entities may set up voluntarily, to exchange information on cyber threats and intelligence. Those arrangements must set out the conditions of participation...
and then 