On November 28th, the Council adopted the Digital Operational Resilience Act («DORA Regulation»), which establishes harmonised legal rules concerning the security of network and information systems supporting the business processes of financial entities including credit institutions, investment firms, managers of alternative investment funds, crypto-asset service providers, and crowdfunding service providers.
The core purpose of the DORA Regulation is to ensure that financial entities are able to resist, respond to and recover from disruptions and threats related to Information and Communication Technology («ICT»). To that end the Regulation sets out requirements applicable to financial entities in relation to, amongst others, the following aspects: i) ICT risk management, ii) reporting of major ICT-related incidents, iii) digital operation resilience testing, iv) measures to the sound management of ICT third-party risk, and v) contractual arrangements concluded between ICT third-party providers and financial entities.
The DORA Regulation will enter into force on the twentieth day following that of its publication in the Official Journal of the European Union («EU») and will be applied homogenously across all EU member states most likelyin 2024. In addition, the European Supervisory Authorities («ESAs») will develop draft regulatory technical standards in the areas of ICT risk management, major ICT-related incident reporting, testing, as well as in relation to key requirements for a sound monitoring of ICT third-party risk, for submission to the Commission.
It is expected, given the ever-increasing risks of cyber-attacks, that the new European legal framework will contribute to mitigate cyber-threats in the financial sector, increasing its resilient to operational disruptions.