Back to article list

DORA to enhance cyber resilience of financial institutions

The European Commission has released a proposal for the Digital Operational Resilience Act (DORA), laying down the requirements for the information and communication technology (ICT) security of financial institutions. Banks, stock exchanges, clearing centres or FinTech companies will have to observe strict standards.

The proposed regulation is to be part of the wider Digital Finance Package, which also includes a general strategy, legislative proposals on crypto-assets, and updated strategies for modern and secure retail payments. The package aims to eliminate the current fragmentation of the digital single market by adopting a European framework to boost digital innovation, support data-driven finance, and take account of the related risks, including enhancing financial systems’ resilience.

The new regulation aims to respond to the financial sector’s ever-increasing dependency on digital processes and its subsequently growing ICT risks. Financial institutions such as banks, stock exchanges, clearing centres and FinTech companies will have to observe stringent standards. Strict supervision will also apply to ICT providers (incl. BigTech companies) providing cloud computing services to the mentioned financial institutions.

DORA is to cover the following areas:

  • setting and unifying the requirements for the cyber resilience of the financial institutions’ IT systems and for the reporting of ICT-related incidents
  • mandatory testing of financial institutions for ICT security and cyber resilience; a certain level of testing compulsory for all, a higher level (such as penetration tests) only for financial institutions identified as significant
  • oversight over the outsourcing of ICT services by financial institutions, including a more detailed regulation of contractual arrangements concluded between financial institutions and ICT providers
  • oversight of critical third-party providers of ICT services to financial institutions by a central EU authority. 

The regulation distinguishes and regulates a total of 20 types of financial institutions. On the other hand, payment systems, payment card systems, some operating systems, and participants pursuant to the SFD (Settlement Finality Directive) are excluded from its scope.