On 28 November 2022, the Council of the European Union adopted the Digital Operational Resilience Act (DORA Regulation). The Regulation lays down uniform obligations regarding security, risk management, monitoring and information sharing of information and communication technology (ICT) and network systems related to financial activities. The Regulation aims to harmonise ICT-related risk management tools, methods, processes and policies at the European level by developing common regulatory technical standards by the European Supervisory Authorities (ESAs). The obligations arising from the Regulation apply to financial entities in the areas of ICT risk management and reporting, digital operational resilience testing and information sharing on cyber vulnerabilities and threats, as well as the management of cyber risks arising from third parties. Regarding cyber risk management, financial entities will have to provide an internal management and control framework that ensures the effective management of cyber risks to ensure digital operational resilience. The Regulation includes requirements for the management, protection and prevention of cyber risks arising from using ICT. Financial entities will be required to monitor and set up systems that detect anomalous activities and major points of failure. In addition, financial entities will be required to examine any ICT incidents, set up crisis communication plans, and assign a person to inform the public. The Regulation also lays down rules on the management, classification and reporting of cyber incidents and threats. Furthermore, general requirements for conducting digital operational resilience tests and basic principles for managing cyber risks from third parties are established. The Regulation will be implemented 24 months after it enters into force.
Original source