The Digital Operational Resilience Act (hereinafter: DORA) has been discussed for quite some time. At the latest when the regulation is published at the end of December 2022, financial companies and third-party service providers will have to start implementing the requirements in time for the 2025 entry into force.
Operational Digital Resilience
DORA – we’re not talking about the animated series in which a little girl discovers the world, but the Digital Operational Resilience Regulation. As the title of the legal act suggests, it deals with strengthening the digital resilience of companies. The EU saw a need for action against the background of the increasing importance of information and communications technology (hereinafter: ICT) systems and digitization, as well as the resulting growing interconnectedness and interdependence.
Scope of regulation
DORA regulates financial firms, as well as third-party ICT service providers, with a few exceptions, and is scheduled to take effect in January 2025. It is then applicable in all member states. Until then, regulated institutions and service providers still have some work to do. In addition to supervisory powers, the ordinance specifically regulates the following:
What’s new?
Some of these issues are not entirely new, for example the requirements for contracts are largely already included in other regulation around outsourcing. Recovery and business continuation plans should also be nothing fundamentally new for already regulated institutions.
Other topics, on the other hand, such as the extended tests, the various disclosure requirements, and the direct regulation of critical ICT third-party service providers, involve greater expense.
Our recommendation
Deal with the topics of the DORA as soon as possible and check which requirements cause implementation efforts for you.
We at ADWEKO will be happy to support you in analyzing your implementation needs and efforts as well as in implementing the requirements.
Pia Streicher
Senior Consultant
0 Comments