The Digital Operational Resilience Act is a landmark regulation that entered into force on the 16th of January 2023 and became applicable on the 17th of January 2025. Designed to enhance the digital security and resilience of the financial sector, DORA applies to a wide range of financial entities, including banks, insurance companies, and investment firms.
Key requirements under DORA:
- ICT risk management: DORA contains governance and organizational requirements for the implementation of a comprehensive ICT risk management framework.
- ICT-related Incident Response and Reporting: Covered entities must establish processes for the identification, management, and notification of ICT-related incidents to competent authorities. Specific requirements depend on the severity of an incident.
- Digital Operational resilience testing: Entities must implement an operational resilience testing program to evaluate their preparedness for handling ICT-related incidents.
- ICT third-party risk management: DORA introduces principle-based rules for monitoring third-party risks and outlines key contractual provisions to be considered when dealing with technology service providers.
- Information sharing: DORA encourages the voluntary exchange of information and intelligence on cyber threats among other entities, for collective resilience.
Failure to comply with DORA can result in substantial financial penalties against the financial entity or, in some jurisdictions, personal liability for board members.
At Christys & Co LLC, Advocates and Legal Consultants, our team of experienced lawyers can provide legal guidance to help financial entities navigate DORA’s complex requirements and ensure compliance with the new regulatory framework.
