Digital Operational Resilience Act - DORA Regulation Guide
Introduction to DORA
In an era where digital technologies are pivotal to financial operations, the Digital Operational Resilience Act (DORA) stands as a cornerstone EU regulation aimed at enhancing the operational resilience of the financial sector against ICT (Information and Communication Technology) disruptions and threats.
By establishing rigorous standards for digital resilience, DORA not only safeguards the financial entities but also ensures the broader stability of the financial system across the EU through uniform legal provisions. The regulation requires financial entities to establish an internal governance framework that rigorously manages ICT risks.
DORA Timescales
There may be minor differences in the implementing legislation at the jurisdictional level, e.g. some EU Member States extend the scope of DORA in whole or in part to other types of financial entities or provide specific rules on the relationship between the NIS2 Directive and the DORA Regulation. It is therefore always advisable to contact a DORA expert in the relevant jurisdiction for country-specific advice.
The 5 pillars of DORA
Who is affected by DORA?
Entities under the scope of DORA
DORA applies to a wide range of financial entities including banks, credit institutions, investment firms, insurance companies, and third-party ICT service providers that are critical to the financial infrastructure. Each of these entities must align their operational and risk management processes with DORA's stringent requirements in order to effectively manage and mitigate ICT risks. Moreover, the regulation places particular emphasis on the role of governing bodies in ensuring compliance, which has a direct impact on directors and senior managers.
Small and non-interconnected investment firms, payment institutions, e-money institutions, small institutions for occupational retirement provision and several types of financial enterprises, investment funds must only comply with the simplified ICT risk management framework prescribed in Article 16 of the DORA (i.e. the Mini DORA). They shall not apply articles 5 – 15 of the DORA and they must create and maintain a simplified ICT risk management framework. The financial enterprises operating payment systems, or which are subject to prudential regulation equivalent to that of a credit institution or which are subject to supervision on a consolidated basis, however, must comply with the full ICT risk management framework prescribed in Article 6 of DORA.
The DORA regulation also contains several exemptions and separate provisions for micro undertakings (any institution falling within the scope of DORA if it employs no more than 10 employees, and its annual turnover and/or balance sheet total does not exceed EUR 2 million), including but not limited to simplified audit, personnel, risk analysis and testing requirements.
Please note that some EU Member States extend all or part of the scope of DORA to other types of financial institutions.
Why it's important to comply
Advantages of DORA compliance
Complying with DORA enhances not only the ICT resilience of financial entities but also fortifies trust with customers and stakeholders. By adhering to DORA, institutions ensure continuity of services, protect against cyber threats, and maintain data integrity and security. Enhanced compliance also positions entities to better handle unforeseen disruptions, thus maintaining operational efficacy.
Risks of non-compliance
Non-compliance with DORA can lead to significant consequences including substantial fines against the financial entity or, in some jurisdictions directly board members, legal action, and reputational damage. Regulatory bodies are equipped to enforce compliance through a variety of punitive measures, making compliance not only beneficial, but mandatory. For example, DORA contains specific provisions for administrative penalties and remedial measures that regulators can impose for non-compliance. This regulatory enforcement can extend to public disclosure of violations, further exacerbating reputational risks. National laws will determine the exact type and amount of fines to be imposed for non-compliance with DORA.
Our services and how we can help
Navigating DORA with CMS
At CMS, we provide comprehensive DORA-related legal services tailored to ensure your compliance with these new regulations. We provide services a wide portfolio of clients in the regulated financial sector and to ICT providers in and outside the European Union. We regularly meet with regulators and deliver training to board directors and compliance staff.
Expertise across borders
Our global presence enables us to offer you localised strategies that align with DORA requirements in various jurisdictions. Whether you are operating in the EU, the UK, or beyond, our experts are equipped to deliver the necessary legal insights and support.
We advise a range of major international banks, insurers, fund managers and ICT providers on the operational resilience, and critical third party, requirements across Europe and the UK (equivalent of DORA).
Learn more about our services for regulated entities and ICT service providers
Regulated entities
ICT TPPs (Third party service providers)
Why CMS?
Our expertise, your advantage
Choosing CMS means partnering with a law firm that not only understands the legal landscape but also values your operational stability and success. To address any gaps in your digital and operational resilience maturity, our global network of industry experts can work with your technology risk function and existing operational resilience, cyber security and third-party risk management programmes, as well as your in-house legal teams.
Our history of handling complex regulatory compliances, technology and IT security law issues and our proactive approach to legal challenges makes us an ideal partner in your DORA compliance journey.
On DORA mandates, CMS Banking & Finance Law and Technology Law experts work together to ensure that all IT security, technology and regulatory issues are adequately covered to the highest standards.
We also use legaltech tools to ensure DORA compliance so that we can do our job as efficiently as possible. Supported by our AI-based technology solutions, we are able to manage a large number of DORA contracts, including the entire contract process from drafting a contract template to negotiating individual contracts, and we can also provide an online platform where our clients can enter into contracts with e-signature solution and track the process.
Contact our experts
Belgium
France
Germany
Hungary
Italy
Luxembourg
Romania
Spain
The Netherlands
UK
