Digital Operational Resilience Act ('DORA')


The European Commission has published a legislative proposal for a regulation on Digital Operational Resilience in the EU financial services sector ("DORA"). It is designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations. DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. The proposed legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. The proposal also introduces an oversight framework for critical third-party providers, such as cloud service providers.

Current work: 

DORA covers a broad range of financial institutions, including credit institutions, payment institutions, e-money institutions, investment firms, cryptoasset service providers, central securities depositories, managers of alternative investment funds, UCITS management companies, administrators of critical benchmarks, crowdfunding service providers, and ICT third-party service providers. Many companies that have not previously been subject to specific ICT regulations are within the proposed scope of DORA.

For purposes of DORA, ‘manager of alternative investment funds’ is currently proposed to mean a manager of alternative investment funds as defined in point (b) of Article 4(1) of the AIFMD. AIMA is advocating to narrow this definition such that the risk management requirements apply to only authorised AIFMs as is currently the case under the AIFMD.

Upcoming actions: 

The proposed new EU regulation is currently being scrutinised by the European Parliament and Council. Trilogues are expected to begin in Q4 2021.

(Last updated: 6 September 2021)