EU introduces a comprehensive regulatory framework on digital operational resilience in the financial sector.
What is the legal background of this Regulation?
In September 2020, the European Commission has published a legislative proposal for a regulation on digital operational resilience for the EU financial sector. This proposal is part of the Digital finance package – a bundle of legislative proposals that aim to embrace the digital transition and confront its associated risks.
What is the Regulation about?
According to the European Commission, during the pandemic, cyberattacks on financial institutions have risen exponentially. Digital Operational Resilience Act (DORA) will be a comprehensive framework with consistent rules addressing the digital operational resilience needs of all regulated financial entities and establishing an oversight framework for critical Information and Communication Technologies (ICT) third party providers, such as cloud service providers.
Basically, DORA aims to ensure that the obliged entities will have in place certain measures and safeguards in place to mitigate cyberattacks.
Which entities are obliged to comply with DORA?
DORA will apply to a broad range of financial entities, such as credit institutions, electronic money institutions, investment firms and even crypto-asset service providers. Based on the principal of proportionality, DORA acknowledges that there are significant differences among the financial entities regarding their size, business profiles or exposure to digital risk. Therefore, DORA aims to determine a fair proportion of relevant obligations to the respective different categories of financial entities. For example, only financial entities that do not qualify as microenterprises will have the obligation to establish complex governance arrangements, dedicated management function, regularly conduct risk analyses on legacy ICT systems etc. Moreover, for the purposes of the advanced digital resilience testing, only financial entities identified as significant will be required to conduct threat led penetration tests.
What are the core obligations of DORA for financial entities?
All the obliged financial entities shall (inter alias):
In addition, DORA encourages information sharing among financial entities, related to cyber threat information and intelligence.
DORA also aims at direct monitoring of the activities of ICT third party providers when they provide services to financial entities through the Oversight Framework.
Are there any penalties for non-compliant financial entities under DORA?
According to DORA, Member States shall lay down appropriate administrative penalties and remedial measures for potential breaches of DORA.
When will DORA enter into force? Does it affect the financial entities in Cyprus?
Currently, DORA is in draft form and the EU Council and EU Parliament will now enter trilogue negotiations on the proposal. Once a provisional political agreement is reached between the negotiators, both institutions will formally adopt the new regulation. It is expected that DORA will enter into force within 2022 and become applicable for the financial entities within 12-18 months.
DORA will be binding in entirety and directly applicable in all Member States including Cyprus, thus financial entities in Cyprus will have to comply to DORA.
In conclusion, DORA is a promising and highly anticipated regulation, attempting to harmonize the cybersecurity standards among Member States and mitigate the associated risks of ICT reliance in the financial sector without jeopardizing the potential of digital finance in terms of innovation and competition. Essentially, DORA aims to provide an increased trust in the financial services industry for the benefit of consumers and investors.
By Ermis Alkiviades
1 Kinyra Street, 5th floor
115 Faneromenis Avenue,
12 Platonos Street,
4 Nicou Nicolaidi & Kinyra,
2nd floor, 8011 Paphos
164A Georgiou Gourounia,
1st floor, 5289 Paralimni
Monday – Thursday
8:00 – 18:00
8:00 – 16:00
TEL: +357 24 201 600
FAX: +357 24 201 601