DORA Regulation: Deadline, scope & requirements

What is the DORA Regulation?

The DORA Regulation came into force on 17 January 2023 and aims to improve the operational resilience of the European financial sector. It focuses on harmonising IT security requirements to address growing cyber risks. To this end, standardised requirements for risk management systems and the security of the network and information systems used by regulated entities have been defined for the financial sector.

DORA is aimed at the financial sector and, as a more specialised law in the financial sector, takes precedence over the Network and Information Security Directive (NIS2).

Which organisations and companies are affected by the DORA Regulation?

The requirements of the DORA essentially apply across all sectors to all supervised institutions and companies in the financial sector - e.g. credit, payment and e-money institutions as well as providers of crypto services and insurance companies.

In addition to companies in the financial sector itself, the regulation also (in)indirectly affects information and communication technology (ICT) service providers. ICT service providers include companies that provide essential services such as cloud computing, software provision, data analytics and data centre services to financial firms. DORA defines ICT services as digital services and data services provided on a continuous basis via ICT systems.

The definition includes hardware and related services, including technical support in the form of software or firmware updates. Traditional analogue telephone services are excluded from this definition. Where these service providers provide critical services to a financial organisation, they are subject to direct supervision by a supervisor.

What are the requirements of DORA?

DORA sets out detailed requirements for ICT risk management and contracts with ICT service providers. Five key areas are of particular relevance:

• ICT Risk Management (Art. 5-16 DORA)
• ICT Third Party Management (Art. 28-44 DORA)
• ICT Incident Management (Art. 17-23 DORA)
• Digital Operational Resilience Testing (Art. 24-27 DORA) Information Exchange (Art. 45 DORA)
• ICT Risk Management, Art. 5-16 DORA

ICT risk management is the core element of DORA. In summary, organisations need to develop and regularly review a digital resilience strategy. This includes assessing the risks associated with new technologies as well as legacy systems. In addition, senior management must be actively involved in the control and management of ICT risks. The documentation and reporting of ICT-related incidents is also mandatory.

According to Art. 5 para. 1 DORA, financial institutions must first have an internal governance and control framework in place to ensure the effective and prudent management of ICT risks. In order to achieve a high level of digital operational resilience, DORA introduces a "DOR strategy" in Art. 6 para. 8 DORA. The management bodies are also obliged to keep their knowledge and skills up to date with regard to the ICT risks to be managed, e.g. through regular training.

According to Art. 6 para. 1 DORA, ICT risk management must be embedded in a risk management framework, which must be documented and reviewed once a year, or regularly in the case of microenterprises.

ICT risk management also includes

• Establishing policies, guidelines, procedures, ICT protocols and tools necessary to protect all information and ICT assets.
• Investigation of causes and possible improvements after serious ICT-related incidents with disruption of key activities.
• Risk assessment for legacy ICT systems (Art. 8 para. 7 in conjunction with Art. 3 No. 3 DORA) annually and before and after the connection of technologies, applications or systems.
• Reporting by ICT staff to the management body on incidents, tests and corresponding recommendations (Art. 13 Para. 5 DORA).

Third party management, Art. 28-44 DORA

Another aspect of risk management is ICT third party risk management. The regulation aims to address potential systemic and concentration risks arising from the financial sector's reliance on a small number of ICT service providers.

At the heart of ICT third party risk management are detailed requirements for outsourcing contracts between financial firms and external ICT service providers. Contracts with external ICT service providers must comply with minimum requirements to ensure that they meet the high security requirements of DORA. Art. 30 of the DORA sets out the mandatory minimum content of the contract. These requirements are intended to ensure that all external services provided by these service providers meet the high security and resilience requirements of the regulation.

It should be noted that even stricter requirements apply to ICT service providers providing critical or important functions. Contracts must include at least the following

Minimum content for all ICT service provider contracts	In addition, for critical or important ICT services
Service description, quality and security provisions	Quality of service and performance targets
Subcontracting and data processing	Security and resilience obligations
Co-operation, support and training	Contractual terms and reporting obligations, including exit strategy
Rights of termination and data access	Monitoring and control rights

Financial organisations are required to define a process for dealing with ICT incidents. This process should enable and ensure that the incident is identified, handled and reported.

An ICT incident (Art. 3 No. 8 DORA) is an unplanned event or a corresponding series of related events that affects the security of the network and information systems and has a detrimental impact on the availability, authenticity, integrity or confidentiality of data or on the services provided by the financial organisation.

Firms must classify ICT incidents in accordance with the requirements of Art. 18 para. 1 DORA. Depending on the classification, there may be an obligation to report to the Federal Financial Supervisory Authority (BaFin) as the competent supervisory authority. In the case of serious ICT incidents, reporting is mandatory.

For the classification of ICT incidents, the Commission Delegated Regulation (EU) 2024/1772 of 13 March 2024 supplementing Regulation (EU) 2022/2554 of the European Parliament and of the Council with regard to regulatory technical standards specifying the criteria for the classification of ICT incidents and cyber threats, the materiality thresholds and the details of notifications of serious incidents was adopted.

Digital Operational Resilience Testing, Art. 24-27 DORA

As an integral part of the ICT risk management framework, financial firms must implement a programme to test their own operational resilience. The applicable measures depend on the size, business and risk profile.

The measures are listed in Art. 25 para. 1 DORA. However, the list is only indicative and not exhaustive. Accordingly, the tests should include the following

• Vulnerability analyses
• Open source analyses
• Gap analyses
• Network security assessments
• Physical security reviews
• Software solution scans
• Source code reviews
• Scenario-based tests, compatibility tests, performance tests, end-to-end tests, penetration tests, as appropriate

Financial companies must carry out these tests once a year if the ICT systems and applications concerned support critical or important functions. Micro-enterprises are exempt from this obligation.

Larger financial institutions are also required to conduct threat-oriented penetration tests every three years in accordance with Art. 26 para. 1 DORA. The competent authority may also oblige the financial undertaking to carry out the tests at a lower or higher frequency.

Exchange of information, Art. 45 DORA

The exchange of information on cyber incidents between financial organisations will be encouraged in order to strengthen resilience across the industry. This will include indicators of compromise, tactics, techniques and procedures, cybersecurity alerts and configuration tools, provided that such information and intelligence sharing is

• aimed at strengthening the digital operational resilience of financial firms, in particular by raising awareness of cyber threats, limiting or preventing the spread of cyber threats and supporting defensive capabilities, threat detection techniques, mitigation strategies or response and recovery phases
• takes place within trusted communities of financial organisations is implemented
• through information sharing agreements that protect the potentially sensitive nature of the information exchanged and are subject to rules of conduct that fully respect commercial confidentiality, the protection of personal data in accordance with the GDPR and competition policy guidelines.

What steps should organisations take now to prepare for DORA?

The EU-wide harmonised requirements of DORA mean that financial firms will need to ensure a consistent level of cybersecurity and operational resilience maturity across their EU operations.

The following checklist can help to systematically prepare for the DORA requirements:

• Check DORA applicability: Does the company fall under DORA directly or as an ICT service provider?
• Review processes and contracts: Are appropriate ICT risk management processes already in place? Are contracts with external service providers DORA-compliant?
• Develop contingency and emergency plans: Ensure that appropriate crisis response plans are in place and tested.
• Ongoing staff training: Raise your staff's awareness of ICT risks on a regular basis.

Who is responsible for DORA compliance within the company?

The primary responsibility for compliance with the DORA lies with the company's management. DORA has significantly expanded the duties and responsibilities of the management bodies of financial companies, Art. 5 para. 2 DORA. For example, sufficient and up-to-date knowledge and skills with regard to the ICT risks to be managed are required, Art. 5 para. 4 DORA. The delegation of this responsibility is strictly limited.

Although it is possible to outsource ICT risk management, the financial organisation ultimately remains fully responsible for ensuring ICT risk management. Financial institutions must introduce an ICT risk control function similar to the already known information security officer, who "assumes responsibility for the management and monitoring of ICT risks", Art. 6 para. 4 DORA.

How can SRD Attorneys at Law assist you with the implementation of the DORA Regulation?

SRD Attorneys can assist with specific contractual and regulatory issues related to DORA:

• For financial institutions: We review existing contracts for DORA compliance and assist you in negotiating new contracts with ICT service providers.
• For ICT service providers: We assist service providers in implementing the DORA requirements and help to review and adapt contracts.
• We will draft the necessary DORA contracts for you to prepare your company for the implementation of the requirements as quickly as possible.

What are the penalties for non-compliance with DORA?

DORA does not provide for direct fines or criminal sanctions. This distinguishes it from regulations such as the GDPR or the NIS2 Directive. However, it is at the discretion of EU Member States to provide for sanctions for breaches of DORA in their national law. From January 2025, European supervisory authorities will have the right to request information, conduct investigations and make recommendations on ICT security.

What are the deadlines for implementing the DORA requirements?

The Regulation's requirements must be fully implemented by 17 January 2025. Companies should start planning and implementation well in advance, as implementation can be time-consuming, particularly for complex structures and contracts with third parties.

What are the deadlines for implementing the DORA requirements?

The Regulation's requirements must be fully implemented by 17 January 2025. Companies should start planning and implementation well in advance, as implementation can be time-consuming, especially in the case of complex structures and contracts with third parties.

Critical service providers outside the EU are subject to direct supervision by the European authorities. Contracts with these service providers should therefore be drafted with particular care to meet European requirements.

Our assessment of the DORA Regulation

The DORA regulation poses significant challenges, particularly for corporate governance and contract management. The specific implementation effort will depend heavily on the size of the organisation and its current level of digital resilience. Despite the implementation effort, we see DORA not only as a challenge but also as an opportunity for financial institutions. In the long term, DORA offers benefits by harmonising standards, particularly for IT security and operational resilience in the financial sector.

When implementing DORA, it is advisable not to consider it in isolation but in the context of all relevant European legislation. It is conceivable that the addressees of the Regulation may also be addressees of other related European legislation. Depending on the specific case, the application of the NIS 2 Directive, the GDPR, the AI Regulation or the Cyber Resilience Act may also be considered. We recommend early implementation to ensure timely compliance.

Our team of experts can provide you with professional support. Contact us now for a no-obligation initial consultation!