Digital Operational Resilience Act ('DORA')

Overview: 

The European Commission has published a legislative proposal for a regulation on Digital Operational Resilience in the EU financial services sector ("DORA"). It is designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations. DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. The proposed legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. The proposal also introduces an oversight framework for critical third-party providers, such as cloud service providers.

Current work: 

DORA covers a broad range of financial institutions, including credit institutions, payment institutions, e-money institutions, investment firms, cryptoasset service providers, central securities depositories, managers of alternative investment funds, UCITS management companies, administrators of critical benchmarks, crowdfunding service providers, and ICT third-party service providers. Many companies that have not previously been subject to specific ICT regulations are within the proposed scope of DORA.

For purposes of DORA, ‘manager of alternative investment funds’ is currently proposed to mean a manager of alternative investment funds as defined in point (b) of Article 4(1) of the AIFMD. AIMA is advocating to narrow this definition such that the risk management requirements apply only to authorised AIFMs as is currently the case under the AIFMD. The Council has proposed in its general approach a carve-out for sub-threshold AIFMs (i.e., managers of alternative investment funds referred to in Article 3(2) of the AIFMD).

Upcoming actions: 

DORA is currently being scrutinised by the European Parliament and Council. The Council has adopted a general approach on the Commission's proposal, which will form its negotiating mandate for negotiations with the European Parliament. Trilogue negotiations are expected to begin in early 2022. 

(Last updated: 6 December 2021)