Cadwalader Logo
Link to home page
Filters »
Search
Cabinet News - Research and commentary on regulatory and other financial services topics. Cabinet News - Research and commentary on regulatory and other financial services topics. Cabinet News - Research and commentary on regulatory and other financial services topics.
Search
Filters »
DORA Now in Force in the EU
January 23, 2025
Profile photo of contributor Michael Newell
Partner | Financial Services
Profile photo of contributor Alix Prentice
Partner | Financial Regulation

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (“DORA”), which establishes a uniform set of requirements relating to the security of network and information systems supporting financial system participants’ business processes, is now live as of 17 January 2025, without any transitional provision.

A wide range of rules applicable for managing ICT risks, including risks linked to ICT third-party service providers, is now in force. DORA applies to nearly all financial entities regulated in the EU, with very few exemptions for smaller institutions. For the first time, it also covers major unregulated ICT third-party service providers; a significant shift in European financial regulation.

In particular, DORA requires financial firms to:

  • have internal governance and control frameworks that ensure they manage all ICT risks effectively;
  • have a robust ICT risk management framework that enables them to address ICT risk;
  • report major ICT-related incidents and notify significant cyber threats to their competent authorities;
  • carry out digital operational resilience testing (see Digital Operational Resilience Testing);
  • manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework; and
  • share information and intelligence about cyber threats and vulnerabilities.

DORA also lays down rules for the establishment and conduct of a new oversight framework for critical ICT third-party service providers (which includes many of the large technology companies) when they provide services to the firm.

Search
Filters »
© 2025 | Notices | Manage Subscription | Contacts