Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022, also known as the Digital Operational Resilience Act (DORA), was introduced to strengthen digital operational resilience in the European financial sector. With a high degree of digitalisation and interconnectivity, the financial sector is exposed to considerable risks, both for individual financial entities and for overall financial stability. DORA is part of the EU’s digital financial package and aims to create a common legal framework to streamline the EU’s fragmented legal landscape as regards information and communication technology (ICT) risks.
Prior to the introduction of DORA, the European financial sector faced increasing digital operational resilience challenges. ICT-related incidents, such as cyber-attacks and systemic failures, could have a serious impact on financial services and market stability. In addition, the diversity of national regulations made it difficult for financial institutions operating across the EU to manage ICT risks. DORA was developed to address these issues by establishing common standards and reporting requirements to improve risk management and incident preparedness across the European financial sector.
The main objectives of DORA are, as a first step, to strengthen digital operational resilience by improving the ability of financial entities to respond to ICT incidents and maintain their operations in an efficient and secure manner, thereby contributing to the stability of the financial sector. Secondly, to harmonise standards and practices by establishing a common legal framework. As a third step, DORA seeks to extend the scope of action of relevant financial entities by including more detailed reporting requirements on ICT-related incidents and by encouraging voluntary notification of significant cyber threats.
DORA is based on five fundamental principles:
1. ICT Risk Management
2. ICT Incident Management, Classification and Reporting
3. Digital Operational Resilience Testing
4. ICT Third Party Risk Management
5. Information sharing agreements
DORA represents good practice in the field of financial regulation for several reasons. First of all, this is a proactive approach: By requiring digital operational resilience tests and encouraging information sharing on cyber threats, the DORA programme helps strengthen the resilience of the financial sector. This helps to harmonise and simplify standards and practices at EU level, reducing costs and administrative complexities. In addition, DORA improves transparency with more detailed reporting requirements on ICT incidents and voluntary notification of significant cyber threats.
implcations for Luxembourg
DORA imposes more precise rules on financial entities in Luxembourg for ICT risk management, including incident reporting, resilience testing and third-party risk management. Given the current fragmentation of ICT regulations, the differences between the current and DORA requirements will vary across entities, leading to distinct implementation gaps. Each entity should therefore analyse these individual deviations and start implementing DORA as soon as possible.