The Digital Operational Resilience Act (“DORA”) was adopted by the European Council on 28 November 2022 (Regulation EU 2022/2554) and came into force on 16 January 2023. The purpose and motivation behind the legislation was to strengthen the IT security of financial entities across the EU with a view to combatting the ever-increasing risks of cyber-attacks and threats to the IT infrastructure of financial institutions.
Overview
The regulation encourages financial institutions and financial intermediaries to identify and manage operational risks and adopt measures to prevent Information and Communication Technology (“ICT”) threats and data breaches.
The European Commission (“EC”) first proposed the DORA framework in 2020 as part of a larger digital finance package with the objective of ensuring financial stability and consumer protection. The regulation applies to regulated financial service providers such as banks, investment firms, insurance companies and e-money institutions and sets uniform requirements for the security of networks and systems within these companies.
Applicability in Ireland
From an Irish perspective, DORA applies to a wide range of financial entities regulated by the Central Bank of Ireland. It brings together provisions addressing digital operational risk and introduces targeted rules on ICT risk management including ICT incident management; classification and reporting; digital operational resilience testing and managing ICT third-party risks.
Technical Standards – Two Phased Approach
The European Supervisory Agencies (“ESAs”), which include the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority are working in unison to develop the technical standards that will be required by the DORA regulation.
These technical standards are being divided into two batches for public consultation under which the first batch is due to be submitted to the EC for adoption before 17 January 2024, while the second batch is due to be adopted before 17 July 2024.
The first set of the regulatory technical standards (“RTS”) and one implementing technical standard (“ITS”) that are to be submitted by the ESAs to the EC are the following:
ICT Risk Management
The RTS on the ICT Risk management framework reflects the applicable provisions in Articles 15 and 16 of DORA and focuses on the following headline areas:
The second package of implementing measures will address (in summary) the content and timelines for incident reporting, the criteria for determining sub-contracting of critical ICT services and the framework around threat-led penetration testing.
Public Consultation
The public consultation on the first batch lasted until 11 September 2023. Based on the feedback received, the ESAs have confirmed that the legal instruments will be finalised and submitted to the EC by 17 January 2024. The public consultation on the second batch of policy products is expected by the end of December 2023.
Next Steps
DORA will apply from 17 January 2025. While the new legislation will bring harmonisation of the rules relating to operational resilience for the financial sector, there is now an onus on regulated financial service providers to review the first batch of draft technical standards to ensure they will have the capacity for compliance with the standards once they are finalised.
Further Information
For further guidance on DORA or for any ancillary advice, please contact Odhran Banim, Partner in our Corporate & Commercial Team.
Search site
Contact our office
Make an enquiry
