In a world where cyber threats are becoming increasingly sophisticated and pervasive, the financial sector faces multiple challenges while handling vast amounts of sensitive information.

The Digital Operational Resilience Act (“Dora”) is part of the Digital finance package adopted in 2020 by the EU Commission and aims to create an EU-level whereby all European financial entities are required to ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.

DORA entered into force in January 2023 and will apply from 17 January 2025--roughly in 15 months from the time of writing.

2025 may seem a long way off but—given the scale of the measures that need to be taken for such a compliance project—those 15 months will go by very quickly, so there is no time to lose!

Five pillars of resilience

DORA will apply to most European financial entities, be they small or large, including credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings, most AIFMs and management companies, as well as ICT third-party service providers.

Those entities will have to comply with the five pillars of resilience enshrined in Dora:

1. The first pillar is about the implementation of a proper ICT risk management.

2. The second pillar provides for ICT-related incident management, classification and reporting obligations.

3.  The third pillar describes the expected sound and comprehensive digital operational resilience testing framework.

4. The fourth pillar details the key principles for a sound management of ICT third-party risk.

5.  The fifth pillar foresees the possibility for financial entities to exchange cyber threat information and intelligence amongst themselves.

Digital operational resilience is thus definitely not a subject that financial entities can afford to ignore. In particular, management bodies bear the ultimate responsibility for managing the financial entity’s ICT risk and should thus actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity.

In order to implement some operational aspects of Dora, draft law n°8291 was published in August 2023. The draft law inter alia provides for administrative sanctions, including fines of up to EUR 5,000,000 for natural persons and up to EUR 5,000,000 or up to 10% of total annual turnover for companies, whichever amount is higher, in cases of non-compliance with the regulation.

Given its numerous and complex requirements, becoming Dora-compliant may trigger a lot of work for financial institutions. It is thus necessary to start such work as early as possible. In particular, a gap analysis is the first necessary step and can already be carried out to get a clear view on the remediation measures to be implemented before the entry into application of DORA.

The firms impacted by DORA should also already map all their ICT service agreements and classify them depending on whether they relate to critical or important functions and identify the amendments necessary to negotiate to align with the regulation—noting that, compared to the CSSF Circular 22/806, Dora applies to all ICT services, irrespective of whether they gratify as outsourcing. Also, if you contemplate using new ICT services, you should also already ensure that the service agreement complies with the Dora requirements.

For more information:

The video above is just one episode of our broader Arendt Tech News Series, , which provides context, technical and high-level insight into hot topics.   For a deeper dive into Dora, feel free to watch the replay of our recent webinar

, Senior Associate, Arendt 

, Senior Manager, Arendt