European Union: Adopted Regulation on digital operational resilience for the financial sector (DORA) including cybersecurity measures by Council of the European Union

Description

Adopted Regulation on digital operational resilience for the financial sector (DORA) including cybersecurity measures by Council of the European Union

On 28 November 2022, the Council of the European Union adopted the Digital Operational Resilience Act (DORA Regulation). The Regulation lays down uniform obligations regarding security, risk management, monitoring and information sharing of information and communication technology (ICT) and network systems related to financial activities. The Regulation aims to harmonise ICT-related risk management tools, methods, processes and policies at the European level by developing common regulatory technical standards by the European Supervisory Authorities (ESAs). The obligations arising from the Regulation apply to financial entities in the areas of ICT risk management and reporting, digital operational resilience testing and information sharing on cyber vulnerabilities and threats, as well as the management of cyber risks arising from third parties. Regarding cyber risk management, financial entities will have to provide an internal management and control framework that ensures the effective management of cyber risks to ensure digital operational resilience. The Regulation includes requirements for the management, protection and prevention of cyber risks arising from using ICT. Financial entities will be required to monitor and set up systems that detect anomalous activities and major points of failure. In addition, financial entities will be required to examine any ICT incidents, set up crisis communication plans, and assign a person to inform the public. The Regulation also lays down rules on the management, classification and reporting of cyber incidents and threats. Furthermore, general requirements for conducting digital operational resilience tests and basic principles for managing cyber risks from third parties are established. The Regulation will be implemented 24 months after it enters into force.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
digital payment provider (incl. cryptocurrencies), DLT development, infrastructure provider: cloud computing, storage and databases
Implementation Level
supranational
Government Branch
legislature
Government Body
parliament

Complete timeline of this policy change

Hide details
2020-09-24
under deliberation

On 24 September 2020, the European Commission submitted the Proposal for a Regulation on digital op…

2021-11-24
under deliberation

On 24 November 2021, the Council of the European Union adopted its general approach on the Proposal…

2021-12-07
under deliberation

On 7 December 2021, the European Parliament adopted its general approach on the Regulation on digit…

2022-05-10
under deliberation

On 10 May 2022, the European Parliament and the Council of the European Union announced that a prov…

2022-11-10
under deliberation

On 10 November 2022, the European Parliament passed the Digital Operational Resilience Act (DORA Re…

2022-11-28
adopted

On 28 November 2022, the Council of the European Union adopted the Digital Operational Resilience A…

2023-01-16
in grace period

On 16 January 2023, the Regulation on digital operational resilience for the financial sector (DORA…

2025-01-17
in force

On 17 January 2025, the Regulation on digital operational resilience for the financial sector (DORA…