Publication 19 Dec 2024 · Netherlands

DORA implementation plan

2 min read

In this publication

7 Pages

Digital Operational Resilience Act (DORA)

1. Digital Operational Resilience Act (DORA): Impact on the funds sector

2. DORA implementation plan

3. EU’s DORA regulation: is it a basis for director liability in the Netherlands?

4. DNB provides guidance on how to prepare for DORA

5. AFM draws attention to preparation for DORA

6. Reminder: AFM to request DORA-register in February 2025

7. Update: DNB to request DORA registers in April 2025

Key contacts

The Digital Operational Resilience Act ("DORA") is a European regulation aiming to enhance the digital resilience of financial entities. It focuses on minimising digital risks within the financial sector, ensuring that financial entities can withstand and recover from operational disruptions caused by cyberattacks, technical failures, or other digital threats.

Rules to improve the operational resilience of financial entities

DORA establishes rules to improve the operational resilience of financial entities. This includes managing ICT (information and communication technology) risks, ensuring service continuity, and increasing the transparency of third-party ICT service providers. The regulation requires financial entities to implement comprehensive strategies and measures for risk management and to regularly test their systems and processes.

By strengthening accountability across the supply chain, DORA aims to safeguard the overall stability of the financial system.

Adoption by the European Council and the European Parliament

DORA was officially adopted by the European Council and the European Parliament in 2022. The regulation will come into effect on 17 January 2025, following a two-year implementation period. From this date, its rules will be binding on all covered entities.

DORA applies to a broad range of financial institutions within the European Union, including:

Managers of alternative investment funds (AIFMs);
Investment firms;
Banks;
Insurance companies and reinsurers;
Payment service providers;
Central securities depositories;
Crypto-asset service providers; and
Critical ICT service providers that support the financial sector (including cloud providers).

In addition, critical ICT service providers such as cloud providers, software vendors, and data centers that deliver services to the financial sector also fall under DORA’s supervisory scope. This makes DORA unique, as it extends its reach to both financial institutions and their service providers.