Digital Operational Resilience Act ('DORA')


The European Union has issued a Regulation on Digital Operational Resilience in the EU financial services sector ("DORA"). It is designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations. DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other risks. The legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. It also introduces an oversight framework for critical third-party providers, such as cloud service providers.

DORA covers a broad range of financial institutions, including credit institutions, payment institutions, e-money institutions, investment firms, cryptoasset service providers, central securities depositories, managers of alternative investment funds, UCITS management companies, administrators of critical benchmarks, crowdfunding service providers, and ICT third-party service providers. Many companies that have not previously been subject to specific ICT regulations are within the scope of DORA.