DORA: Financial Sector Digital Operational Resilience Regulation 

/ Uncategorized / By
back to News

On 17.1.2025, the new Regulation (EU) 2022/2554, on digital operational resilience of the financial sector (hereinafter referred to as "DORA"), which establishes uniform regulatory rules for improving cyber security in the area of ​​financial services, will enter into force. This new legal framework concerns the usual financial service providers (banks, PIs, EMIs, OCPs, etc.), which already today have to comply with strict rules regarding risk management in the area of ​​information and communication technologies (ICT). However, the scope of DORA also falls on other listed entities, e.g. providers of services connected to crypto-assets, providers of group financing services (crowdfunding) or even third parties that provide ICT-related services to such entities, such as suppliers of cloud solutions, data centers, etc.

DORA brings a whole range of general regulatory obligations and requirements in relation to setting up and maintaining a risk management system in the field of ICT, however, when applying this regulation, it is necessary to follow the principle of proportionality and take into account the size, risk profile or complexity of the financial services provided. Many exemptions apply to e.g. micro-enterprises (fewer than 10 employees and an annual turnover of up to EUR 10 million), small and unrelated investment firms, etc. 

Among the key rules that DORA brings, and which financial entities must implement by the above-mentioned deadline, are:   

  1. Elaboration of an internal framework for the management of risks associated with the operation of ICT;
  2. Implementation of cyber security at the required level, which includes both technical measures (e.g. firewall, anti-virus protection, data backup) and organizational measures (e.g. internal control functions, employee training);
  3. Creation of plans for the maintenance (continuity) of ICT operation incl. plans for managing crisis situations and crisis scenarios, including the creation of internal policies for maintaining ICT operations; 
  4. Consistent monitoring and reporting of potential ICT incidents using an established unified system;
  5. Regular testing of the security resistance of information systems, including the creation of internal frameworks for conducting testing;
  6. Screening and monitoring of cyber resilience of ICT service providers (suppliers).

Violation of obligations arising from DORA may result in the imposition of administrative sanctions, including high administrative fines and corrective measures by the supervisory authority.