On 27 December, 2022, the Regulation (EU) 2022/2554 on Digital Operational Resilience for the financial sector was published in the Official Journal of the European Union. Also known as Digital Operational Resilience Act (DORA), the Regulation intends to harmonise rules regarding digital resilience in the financial sector across all Member States.
DORA’s main objectives are to elevate the financial sector’s operational resilience, further enhance security requirements to reduce threats and risks deriving from the use of ICT, and build up operational resilience of the financial sector against ICT related incidents. These objectives are materialised by requirements based on five main pillars of the regulation:
ICT risk management;
ICT related incident management, including payment-related incidents;
Digital operational resilience testing;
Management of ICT third-party risks and oversight of critical ICT third-party service providers;
Information and intelligence sharing arrangements.
To do so, DORA implements rules for the majority of financial entities, including credit institutions, payment and e-money institutions as well as other entities of the financial sector, such as management companies as well as insurance players. All entities in scope are required to assess and comply with an extensive series of requirements regarding ICT aspects, as per the five pillars.
As part of its “A Europe Fit for the Digital Age” priority for 2019-2024, the Commission submitted the DORA proposal during the last quarter of 2020.
On 10 May 2022, the EU institutions came to a provisional arrangement which led to a favorable vote of the European Parliament on 10 November 2022. The text was finally adopted by the Council of the EU on 28 November 2022.
This regulation is part of a digital finance package of the European Commission, which aims at framing the digital transformation of the financial actors / sector and the growing adoption of new financial products inside the EU, to provide financial stability.
The regulation will become applicable on 17 January, 2025, to all 27 EU Members. All the entities in scope of this regulation would be well advised to use this duration of 24 months to comply with all aspects and requirements of the regulation. In most cases, all entities shall begin their compliance journey and start implementing or amending relevant procedures, processes, or controls to be certain that they will be compliant with DORA.
DORA will be accompanied by a set of Regulatory and Implementing technical standards (“RTS & ITS), that will be issued 12-, 18- or 24-months post application date, thus only after the 17 January 2024.
Why is this critical?
The introduction of DORA will certainly change the way financial institutions see operational resilience and the use of ICT tools and providers. It is important to note that DORA focuses on ensuring that financial entities are prepared to identify, monitor, and most importantly protect themselves from a variety of ICT related risks that are becoming significantly more common. It is critical to ensure that all relevant stakeholders are involved in the compliance journey, this is not only a compliance task, but inputs from your Information Security Officers, IT Officers, Risk Officers and others will be crucial. Besides, the management body stays responsible for overall compliance with DORA and is required to actively keep up to date with sufficient knowledge and skills to understand ICT risks and their impact on your entity.
New, and more sophisticated processes and controls will need to be implemented and although some entities might already be compliant with some of the provisions, e.g. credit institutions, investment firms, for many it will lead to adoption and creation of a set of new policies, ICT controls, resilience testing as well as incident reporting processes, therefore do start now with your compliance roadmap.
Companies in scope
Regulatory & Compliance Advisory Services - Banking - Partner, PwC Luxembourg
Tel: +352 49 48 48 2245
Manager, PwC Luxembourg
Tel: +352 621 334 132