The Digital Operational Resilience Act (DORA) has been in force since January 2023. DORA is a European regulation that aims to ensure that financial organisations improve the controls of their IT risks and thus become more resilient against cyber threats. DORA should be considered a piece of cybersecurity legislation specifically tailered to the financial sector. Existing legislation that also provides normative guidance on the issue of cybersecurity, such as the NIS2 Directive, remain in place.
As several FAME’s stakeholders are part of the financial sector, this regulation may be of direct relevance to them.
Legal basis for Digital Operational Resilience Act
Applies to the following financial entities:
Credit institutions; Payment institutions; Account information service providers; Electronic money institutions; Investment firms; Crypto-asset service providers; Central securities depositories; Central counterparties; Trade venues; Trade repositories; Managers of alternative investment funds; Management companies; Data reporting service providers; Insurance and reinsurance undertakings; Insurance/re-insurance/ancillary intermediaries; Institutions for occupational retirement provision; Credit rating agencies; Administrators of critical benchmarks; Crowdfunding service providers; Securitisation repositories; ICT third-party services providers.
Key Definitions
Digital operational resilience; means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.
ICT risk; any reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment.
ICT third-party risk; an ICT risk that may arise for a financial entity in relation to its use of ICT services provided by ICT third-party service providers or by subcontractors of the latter, including through outsourcing arrangements.
Cyber-attack; a malicious ICT-related incident caused by means of an attempt perpetrated by any threat actor to destroy, expose, alter, disable, steal, or gain unauthorised access to, or make unauthorised use of, an asset.
ICT-related incident; a single event or a series of linked events unplanned by the financial entity that compromises the security of the network and information systems, and have an adverse impact on the availability, authenticity, integrity or confidentiality of data, or on the services provided by the financial entity.