DORA Regulation (EU) 2022/2554 already came into force at the beginning of 2023. Nevertheless, the new requirements for the financial sector are still unknown in many cases. Even though the obligation to implement the regulations was only dated for January 2025, affected companies should deal with the contents and effects of the regulation at an early stage in order to be able to implement processes in compliance with the law in good time. In particular, it is advisable to keep an eye on the expected specifications of the requirements and concretisations of the technical regulatory standards from BaFin.

What is DORA about?

DORA regulation (Digital Operational Resilience Act) aims to strengthen the operational resilience of financial institutions in the digital age. The regulation was developed to mitigate the risks associated with cybersecurity, IT failures and other digital threats. The regulation aims to harmonise the various national rules on IT security in the financial sector and to seek a single legal act within the European Union governing the digital operational resilience of financial services. In addition, a common supervisory framework for third-party providers of information and communication technologies (ICT) is to be created.

What impact will DORA have on the financial industry?

– Financial institutions will be required to conduct a comprehensive risk assessment of their digital systems and processes. Early warning indicators must be set up to detect cyber attacks and take countermeasures. This is to identify vulnerabilities and take appropriate security measures to improve operational resilience.

– Financial institutions must report cybersecurity incidents and IT failures (ICT related incidents) to the supervisory authorities. This will allow for better monitoring and response to threats, as well as improved coordination between authorities.

– The regulation contains specific requirements for the outsourcing of IT services by financial institutions. Increased requirements are placed on contract terms and monitoring mechanisms to ensure security and control over their digital processes.

– The DORA Regulation establishes a clear supervisory structure and defines the role of national authorities and the European Central Bank. This leads to increased supervision and regulation of the digital operational capability of financial institutions.

– The supervisory authorities have the right to conduct regular examinations to ensure that financial institutions comply with the requirements of the DORA Regulation. In case of violations, sanctions can be imposed to enforce compliance.

In summary, the DORA regulation aims to increase the digital resilience of the financial industry by establishing regulatory requirements for cybersecurity and operational resilience. Improved security and control should reduce risks for financial institutions and their customers.