DORA NEWS, EU members get ready

In 2022, the European Commission officially adopted the Digital Operational Resilience Act (DORA), a landmark regulation outlined in the first draft published in September 2020 as part of the comprehensive Digital Finance Package. Scheduled to come into full effect on January 17, 2025, a transitional phase is currently underway to enable entities subject to the DORA to adequately prepare for its effectivity. Notably, DORA holds a binding and directly applicable status across all Member States of the European Union, owing to the distinctive nature of European regulation.

During this transitional phase, DORA mandates the European Supervisory Authorities (ESAs) to prepare jointly, through the Joint Committee, a set of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) further delineating and often supplementing DORA. Drafts of first set of policy products was released on 19 June 2023 and second one on 8 December 2023. The public consultation regarding the first batch run until 11 September 2023 and in January 2024 should be the first set of policy products submitted to the European Commission, the second batch will follow with deadline on 17 July 2024, whereas the public consultation on second batch will last until 4 March 2024.

DORA’s application is extensive, encompassing financial entities such as credit institutions, payment institutions, insurance companies, securities dealers, investment firms, insurance intermediaries, and cryptocurrency dealers. Consequently, we are engaged in reviewing the internal processes of many clients, recognizing that DORA, while building on existing rules, significantly expands regulatory coverage into previously unregulated areas.

DORA comprises four integral parts: the ICT risk management framework, ICT incidents, resilience testing, and third-party risk management. The ICT risk management framework, serving as the cornerstone for obligated entities, requires a comprehensive rework and expansion in response to DORA’s enforcement. From our experiences results that financial entities have adapted – to varying degrees and quality – elements of this framework concerning existing cyber risk protection. However, with DORA’s effectivity, these elements will necessitate meticulous reworking and expansion, evolving into a robust and consistent protective system capable of mitigating all ICT risks.

A fundamental shift will also be required in the collaboration with ICT service providers, given that DORA introduces new obligations and requirements for financial subjects. These include selecting, contracting, monitoring, reporting relevant information about ICT service providers to supervisory authorities, and, if necessary, terminating cooperation to safeguard the activities of financial subjects

Undoubtedly, these changes pose significant challenges for our clients, not only in terms of the requisite human resources — a direct stipulation of the DORA mandating the creation of new positions with defined lines of responsibility — but also in terms of necessary financial expenditure. Recognizing the financial strain, many obligations defined by the DORA can be automated using specialized software tools. However, the acquisition and implementation of these tools often entail considerable costs within an ICT risk management framework.

In the Czech Republic, compliance with the obligations outlined in the DORA will be supervised by the Czech National Bank, wielding the authority to impose fines of up to EUR 2 million for breaches of these obligations.

Considering these challenges, it’s crucial to view DORA not as a threat, but as an opportunity. It presents a chance to adapt internal processes to evolving threats, ultimately leading to the provision of a safer and improved service to the clients. At Greats, we have assembled a team of experienced advisors ready to navigate you through DORA. We are well-equipped to deal with the intricacies of ICT risk management and would be delighted to address any inquiries you may have in more detail.