The DORA (Digital Operational Resilience Act) regulation represents a milestone in the European Union’s strategy to strengthen the digital operational resilience of the financial sector. While DORA entered into force on January 16, 2023, its main provisions will become applicable from January 17, 2025. DORA aims to ensure that all financial entities are adequately prepared to manage challenges posed by cyber threats and technological disruptions. But who exactly is required to comply with this regulation? In this article, we will explore the scope of DORA and identify the entities obligated to adhere to its requirements.
-
DORA – Collection check list verification of compliance with Chapter II (TCI risk management) Digital Operational Resilience Act (EU Regulation 2022/2554)
Sale! Original price was: 998,00 €.499,00 €Current price is: 499,00 €. Add to cart and unlock the extra 20% discount -
DORA documentation kit – Language: English
Sale! Original price was: 998,00 €.499,00 €Current price is: 499,00 €. Add to cart and unlock the extra 20% discount -
DORA-Dokumentationskit – Digital Operational Resilience Act – Sprache: Deutch
Sale! Original price was: 998,00 €.499,00 €Current price is: 499,00 €. Add to cart and unlock the extra 20% discount -
Kit Audit Compliance DORA – vers. English
Sale! Original price was: 998,00 €.499,00 €Current price is: 499,00 €. Add to cart and unlock the extra 20% discount -
Kit de documentación DORA – Ley de resiliencia operativa digital – Idioma: español
Sale! Original price was: 998,00 €.499,00 €Current price is: 499,00 €. Add to cart and unlock the extra 20% discount -
Kit de documentation DORA – Digital Operational Resilience Act – en français
Sale! Original price was: 998,00 €.499,00 €Current price is: 499,00 €. Add to cart and unlock the extra 20% discount -
Kit documentazione DORA – Digital Operational Resilience Act – Language: italiano
Sale! Original price was: 998,00 €.499,00 €Current price is: 499,00 €. Add to cart and unlock the extra 20% discount
1. Regulated Financial Entities
DORA applies to a wide range of financial entities operating within the European Union. These include:
- Banks: All credit institutions subject to the Capital Requirements Directive (CRD IV).
- Investment Firms: Companies providing investment services to clients, including those regulated by MiFID II.
- Insurance and Reinsurance Companies: Including firms operating in life and non-life sectors.
- Payment Institutions and Electronic Money Institutions: Regulated by the Payment Services Directive (PSD2).
- Investment Funds: Including UCITS and AIFs (Alternative Investment Funds).
- Asset Management Companies: That manage funds on behalf of investors.
- Financial Market Infrastructures: Such as central counterparties, central securities depositories, and regulated market operators.
2. Critical Third-Party ICT Service Providers
In addition to traditional financial entities, DORA extends its application to third-party ICT service providers that offer critical services to financial institutions. These include:
- Cloud Service Providers: Offering infrastructure, platforms, or software as a service.
- Data Analytics Providers: Managing or processing sensitive financial data.
- Network and Communication Service Providers: Ensuring connectivity and security of communications.
- Other ICT Service Providers: Supplying essential software, hardware, or related services for financial operations.
3. Third Parties and Outsourcing
The regulation recognizes the importance of managing risks associated with outsourcing and the use of third-party providers. Financial entities must:
- Assess the risks associated with third-party ICT service providers.
- Continuously monitor the performance and compliance of providers.
- Establish clear contractual agreements, defining roles, responsibilities, and resilience requirements.
4. Supervisory and Regulatory Authorities
Competent national and European authorities are tasked with:
- Supervising the compliance of regulated entities with the DORA regulation.
- Conducting periodic assessments of the digital operational resilience of the sector.
- Imposing sanctions in case of non-compliance or significant violations.
5. SMEs and Smaller Entities
While DORA has broad applicability, it also recognizes the principle of proportionality. Small and medium-sized enterprises (SMEs) and entities with a lower risk profile may benefit from requirements adapted to their size and operational complexity.
Conclusion
The DORA regulation represents a crucial step towards a more resilient and secure financial ecosystem within the European Union. Its wide application underscores the importance of comprehensive and coordinated preparation against digital threats. With the main provisions becoming applicable from January 2025, it is essential that all affected entities:
- Fully understand the specific requirements of the regulation.
- Implement adequate measures to strengthen their digital operational resilience.
- Actively collaborate with third-party providers and supervisory authorities to ensure continuous compliance.
In an increasingly digital world, operational resilience is not just a regulatory necessity but a fundamental element for customer trust and the stability of the financial market.
Note: This article provides a general overview of the DORA regulation. For specific advice, it is recommended to consult legal or compliance experts.
