INFORMATION TECHNOLOGY
The DORA Regulation on Digital Operational Resilience is fully applicable.
From 17 January 2025, after entering into force on 16 January 2023, Regulation 2022/2554 - Digital Operational Resilience Act (DORA) is fully applicable to financial entities within the EU.
The DORA Regulation prescribes uniform requirements on the security of network and information systems to support the commercial activities of financial entities, including credit institutions, payment institutions, investment firms, liquidity providers. Third-party ICT service providers are also indirectly affected by its application.
The DORA Regulation has introduced several technical, organisational and documentary requirements for the management of digital operational resilience, including:
- ICT risk management, including risk assessments, policies and threat monitoring;
incident detection and reporting, including (1) identifying major ICT-related incidents and notifying competent authorities of significant cyber threats on a voluntary basis; (2) the reporting to the competent authorities of serious operational or security incidents related to payments by certain financial entities;
- complete a series of assessments, tests, methodologies and practices to identify weaknesses, deficiencies and gaps in digital operational resilience;
- share information and intelligence in relation to cyber threats and vulnerabilities; and
- the implementation of measures for the proper management of ICT risks arising from third parties, such as the performance of a preliminary assessment, the implementation of an ICT risk strategy by third parties and a register of information on contractual arrangements, as well as the inclusion of key contractual provisions in contractual arrangements.
The DORA Regulation prescribes uniform requirements on the security of network and information systems to support the commercial activities of financial entities, including credit institutions, payment institutions, investment firms, liquidity providers. Third-party ICT service providers are also indirectly affected by its application.
The DORA Regulation has introduced several technical, organisational and documentary requirements for the management of digital operational resilience, including:
- ICT risk management, including risk assessments, policies and threat monitoring;
incident detection and reporting, including (1) identifying major ICT-related incidents and notifying competent authorities of significant cyber threats on a voluntary basis; (2) the reporting to the competent authorities of serious operational or security incidents related to payments by certain financial entities;
- complete a series of assessments, tests, methodologies and practices to identify weaknesses, deficiencies and gaps in digital operational resilience;
- share information and intelligence in relation to cyber threats and vulnerabilities; and
- the implementation of measures for the proper management of ICT risks arising from third parties, such as the performance of a preliminary assessment, the implementation of an ICT risk strategy by third parties and a register of information on contractual arrangements, as well as the inclusion of key contractual provisions in contractual arrangements.
