Digital Operational Resilience Act
   HOME

TheInfoList



Click Here for Items Related To - Digital Operational Resilience Act
OR:
Digital Operational Resilience Act on:   [Wikipedia]   [Google]   [Amazon]

The Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554 is a
European Union regulation A regulation is a legal act of the European Union which becomes immediately enforceable as law in all member states simultaneously. Regulations can be distinguished from directives which, at least in principle, need to be transposed into nation ...
. It requires financial entities to improve their digital operational resilience.


Aim

DORA aims to improve the digital operational resilience of financial entities in the EU and their ICT suppliers and create a uniform regulatory framework across the EU, in order to reduce the susceptibility to cyber threats across the entire value chain of the financial sector. In addition, DORA intends to harmonize national regulations regarding the security of IT systems in the financial sector, thus strengthening the European financial market as a whole against cyber risks and information and communications technology incidents.


Scope

The regulation applies to financial entities and third-party suppliers of ICT services. Article 2 defines financial entities as: * Account information service providers * Administrators of critical benchmarks * Central counterparties *
Central securities depositories A central securities depository (CSD) is a specialized financial market infrastructure organization holding securities such as shares or bonds, either in certificated or uncertificated ( dematerialized) form, allowing ownership to be easily transf ...
*
Credit institutions A bank is a financial institution that accepts deposits from the public and creates a demand deposit while simultaneously making loans. Lending activities can be directly performed by the bank or indirectly through capital markets. As banks ...
*
Credit rating agencies A credit rating agency (CRA, also called a ratings service) is a company that assigns credit ratings, which rate a debtor's ability to pay back debt by making timely principal and interest payments and the likelihood of default. An agency may r ...
*
Crowdfunding Crowdfunding is the practice of funding a project or venture by raising money from a large number of people, typically via the internet. Crowdfunding is a form of crowdsourcing and Alternative Finance, alternative finance, to fund projects "withou ...
service providers * Crypto-asset service providers and issuers of asset-referenced tokens *
Data reporting Data reporting is the process of collecting and submitting data. The effective management of any organization relies on accurate data. Inaccurate data reporting can lead to poor decision-making based on erroneous evidence. Data reporting is diff ...
service providers * Electronic money institutions * Institutions for occupational retirement provision * Insurance and reinsurance undertakings *
insurance intermediaries An insurance broker is an intermediary who sells, solicits, or negotiates insurance on behalf of a client for compensation. An insurance broker is distinct from an insurance agent in that a broker typically acts on behalf of a client by negotia ...
,
reinsurance Reinsurance is insurance that an insurance company purchases from another insurance company to insulate itself (at least in part) from the risk of a major claims event. With reinsurance, the company passes on ("cedes") some part of its own insu ...
intermediaries and ancillary insurance intermediaries * Investment firms * Management companies * Managers of
alternative investment funds An alternative investment, also known as an alternative asset or alternative investment fund (AIF), is an investment in any asset class excluding capital stocks, bonds, and cash. The term is a relatively loose one and includes tangible ass ...
* Payment institutions *
Securitisation Securitization is the financial practice of pooling various types of contractual debt such as residential mortgages, commercial mortgages, auto loans, or credit card debt obligations (or other non-debt assets which generate receivables) and sellin ...
repositories * Trade repositories * Trading venues The regulation explicitly does not apply to: * Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are
microenterprises A micro-enterprise (or microenterprise) is generally defined as a small business employing nine people or fewer, and having a balance sheet or turnover less than a certain amount (e.g. €2 million or PhP 3 million). The terms microenterprise and ...
or small or medium-sized enterprises * Insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC * Institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total * Managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU * Natural or legal persons exempted pursuant to Articles 2 and 3 of Directive 2014/65/EU * Post office giro institutions as referred to in Article 2(5), point (3), of Directive 2013/36/EU


Proportionality principle

Article 4 defines the
proportionality principle Proportionality, proportion or proportional may refer to: Mathematics * Proportionality (mathematics), the property of two variables being in a multiplicative relation to a constant * Ratio, of one quantity to another, especially of a part compare ...
, resulting in some exceptions for smaller enterprises which fall within the scope of the regulation despite their size. This allows for a simplified implementation of certain requirements in accordance with the overall risk profile of the enterprise. An example for this is the simplified ICT risk management framework according to Article 16 in combination with a
regulatory technical standard Regulation is the management of complex systems according to a set of rules and trends. In systems theory, these types of rules exist in various fields of biology and society, but the term has slightly different meanings according to context. Fo ...
(RTS).


Structure

The regulation comprises 64 articles divided into 9 chapters: # General provisions (Art. 1–4) # ICT risk management (Art. 5–16) # ICT-related incident management, classification and reporting (Art. 17–23) # Digital operational resilience testing (Art. 24–27) # Managing of ICT third-party risk (Art. 28–44) # Information-sharing arrangements (Art. 45) # Competent authorities (Art. 46–56) # Delegated acts (Art. 57) # Transitional and final provisions (Art. 58–64) In addition, the
European Supervisory Authorities The European System of Financial Supervision (ESFS) is the framework for financial supervision in the European Union that has been in operation since 2011. The system consists of the European Supervisory Authorities (ESAs), the European Systemi ...
develop regulatory and implementing technical standards (RTS and ITS), which, being published in the
Official Journal of the European Union The ''Official Journal of the European Union'' (the ''OJEU'') is the official gazette of record for the European Union (EU). It is published every working day in all of the official languages of the member states of the EU. Only legal acts p ...
, also become legally binding:


Impact

DORA will have an impact on pension schemes. Pension schemes having more than 15 but fewer than 100 members will be subject to a simplified ICT risk management framework.


References


External links

* {{Official website, https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en European Union regulations