Digital Operational Resilience Act ('DORA')


The European Union has agreed a Regulation on Digital Operational Resilience in the EU financial services sector ("DORA"). It is designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations. DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. The legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. It also introduces an oversight framework for critical third-party providers, such as cloud service providers.

DORA covers a broad range of financial institutions, including credit institutions, payment institutions, e-money institutions, investment firms, crypto-asset service providers, central securities depositories, managers of alternative investment funds (AIFMs), UCITS management companies, administrators of critical benchmarks, crowdfunding service providers, and ICT third-party service providers. Many companies that have not previously been subject to specific ICT regulations are within the scope of DORA.

The Regulation will apply from 17 January 2025.