A New framework for Digital Resilience
On 10 November 2022, the European Parliament approved two pieces of legislation; DORA and NIS2 Directive. This legislation will set the new framework for digital resilience and cybersecurity across EU financial services and more broadly.
At a time when digital finance, data and technology such as cloud computing present huge opportunities for financial services and FinTech this legislation will have significant implications for technology providers and users in the EU.
What is DORA?
The ‘Digital Operational Resilience Act’, known as ‘DORA’, is a new EU regulation for a common set of rules and standards to mitigate ICT risk across the EU financial services (FS) sector, by harmonising existing fragmented rules and raising the bar for ICT risk management.
In a nutshell DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. The legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats.
DORA establishes concrete cyber security obligations, it regulates contractual terms, it describes the prudential role financial regulators have on cyber security and creates requirements around supply chain risk management.
Who will DORA apply to?
DORA will apply to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and re-insurance undertakings. Additionally, it will apply to those organisations captured within the expanded regulatory perimeter under the term ‘critical ICT third-party service providers’, which will include services such as cloud resources, data analytics and audit.