On 27 December 2022 Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector [1] (the “Regulation” or “DORA”) and Amending Directive (EU) 2022/2556[2] (the “Amending Directive”) were published on the Official Journal of the EU and will enter into force on 16 January 2023. The Regulation will apply from 17 January 2025. Member States are required to adopt the measures necessary to comply with the Amending Directive also by 17 January 2025.

DORA represents the EU’s response to the ever-increasing number of cyberattacks against financial institutions. It’s designed to strengthen the security of EU financial firms (the umbrella term “financial entities” is used), such as banks, insurance companies, payment and e-money institutions, investment firms, and more by imposing resilience requirements and regulating the supply chain. It is designed to ensure the services they provide are not disrupted by cyberattacks, outages or other risks to the integrity and continuity of those services.

DORA harmonises and consolidates key elements of existing digital resilience frameworks and standards within the EU[3] but it also introduces new requirements. Financial entities tend to outsource much of their IT and deal with complex architectures. It is also for this reason that DORA applies also to third party service providers of ICT services and impacts the contracts financial entities agree with those providers. The sharpened focus on third-party risk management is evident throughout DORA. The new regulation also brings into scope providers of critical information to the financial services sector such as credit rating, critical benchmarking and data reporting services as well as financial market infrastructure providers such as central securities depositories, central counterparties and trading venues.

Broadly, DORA consists of requirements in five main areas:

  • ICT risk management.
  • ICT incident reporting.
  • Digital operational resilience testing.
  • ICT third-party risk management.
  • Information intelligence and sharing.

It is pertinent to note that DORA embraces the principle of proportionality and, thus, follows the approach found in many other regulations and in a sense, puts the onus back on the individual financial entity, to assess and justify the standard and extent of requirements that it needs to prepare for and eventually implement.

Critical to an efficient implementation of DORA will also be the awaited raft of Regulatory/Implementing Technical Standards and Guidelines which will supplement DORA. In Annex 1 to the MFSA Circular on the publication of DORA issued on the 4 January 2023,[4] the MFSA sets out in different delivery deadlines for the planned work in this regard until the applicability date of January 2025.

Compliance with DORA is undoubtedly no easy task and can be a “game changer”.  The various entities to whom DORA applies have a tight two-year preparatory term which should be used to undertake a gap analysis of their ICT risk management framework, including reviews of the internal governance structure and ICT risk and incident management and reporting mechanisms already in place. Entities should also reassess and renegotiate where necessary their agreements with third party ICT service providers to make them compliant with DORA. Entities are also to be prepared for increased supervisory engagement in this area: when the DORA enters into force considering that the Regulation provides supervisors with wider far-ranging mandates and powers. The real consideration for financial institutions is ultimately how they approach it – a compliance or “tick the box” exercise or a potential strategic opportunity.

[1] Which amends Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011

[2] Which amends Directives 2009/65/EC, 2009/138/EC, 2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and (EU) 2016/2341 as regards digital operational resilience for the financial sector

[3] To-date it does not appear that any existing laws or regulations or guidelines will be repealed, instead these would exist alongside DORA

[4] https://www.mfsa.mt/publications/circulars/supervisory-ict-risk-and-cybersecurity-circulars/

'Credit & Financial Institutions' Related News Articles

01
The European Union Global Minimum Level of Taxation for Multinational Enterprise Groups and Large-Scale Domestic Groups Regulations 2024
CSB Group

by CSB Group

5th April 2024

Bank of Valletta has supported this year’s opera by Gioachino Rossini – ‘Armida’
Bank of Valletta

by Bank of Valletta

18th March 2024

Changing the terms of a credit agreement and forbearance policies and measures: new obligations on lenders in consumer and residential property credit agreements
Ganado Advocates

by Ganado Advocates

23rd February 2024

The HSBC Malta Foundation supports Three-Year UM Research Project through RIDT
HSBC Bank Malta p.l.c.

by HSBC Bank Malta p.l.c.

19th February 2024

BOV RETROSPECTIVE EXHIBITION FEATURING WORKS BY NOEL GALEA BASON OFFICIALLY INAUGURATED
Bank of Valletta

by Bank of Valletta

17th January 2024

Goal-line Defenders: Scoring Victory Against Financial Crime with the Three Lines of AML/CFT Defence
CSB Group

by CSB Group

12th January 2024

Agreement reached on the establishment of the Anti-Money Laundering Authority (“AMLA”)
Ganado Advocates

by Ganado Advocates

3rd January 2024

FIAU Thematic Review on Company Service Providers when providing Company Formation Services
Ganado Advocates

by Ganado Advocates

3rd January 2024

Directive 93/13/EEC and mandatory statutory or regulatory provisions in consumer contracts
Ganado Advocates

by Ganado Advocates

3rd January 2024

MiCA Update: Consultation Process on the Proposed Updates to Chapter 3 of the VFA Rulebook
Ganado Advocates

by Ganado Advocates

1st November 2023

Continuing to disclose the topic EU funding for Startups ¦ Startup Definition
Griffiths + Associates Ltd

by Griffiths + Associates Ltd

31st October 2023

EU Court’s Landmark Ruling: Restricting Financial Ties to Combat Money Laundering and Terrorism Financing
Ganado Advocates

by Ganado Advocates

16th August 2023

ESMA issues public statement in relation to sustainability disclosures in prospectuses
Ganado Advocates

by Ganado Advocates

16th August 2023