Provisional Agreement Reached on the Digital Operational Resilience Act (“DORA” or the “Regulation”)

On 28 July 2022, the Malta Financial Services Authority (“MFSA”) published a circular announcing that in May 2022, the European Parliament and the Council reached a provisional political agreement on DORA. This brief article will set out the rationale of DORA, its applicability, and its main objectives.

Rationale of DORA

The EU’s financial services sector is part of the EU’s critical infrastructure. The financial services sector, in the information age, relies heavily on information and communications technology (“ICT”) to be able to perform its functions efficiently and effectively. This high degree of reliance on ICT systems puts the financial services sector at a higher risk of cyberattacks or ICT disruptions which can cause significant harm to all actors in financial services sector (such as financial services operators and their customers) and can also lead to decreased confidence and trust in the sector. DORA aims to reduce this risk by creating a harmonised, integrated and enhanced legislative framework to achieve a high level of digital operational resilience – that is, to make ICT systems harder targets thereby seeking to prevent cybercrimes in the financial services sector.

To whom does DORA apply to?

DORA applies to “financial entities” which include:

• credit institutions;
• financial institutions – payment services providers and electronic money institutions;
• account information service providers;
• investment firms;
• crypto asset service providers;
• central securities depositories;
• central counterparties;
• trading venues;
• trade repositories;
• alternative investment fund managers;
• management companies;
• data reporting service providers;
• insurance and reinsurance undertakings;
• insurance intermediaries;
• pension service providers;
• credit rating agencies;
• crowdfunding service providers; and
• securitisation repositories.

Objectives of DORA

DORA seeks to:

1. achieve harmonisation by consolidating the rules on ICT risk requirements into a single law;
2. enhance and upgrade the rules on ICT risk requirements; and
3. raise awareness of ICT risks.

The Regulation seeks to achieve the above by setting out:

• the legal requirements for financial entities on:
  • ICT risk management;
  • reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities;
  • digital operational resilience testing;
  • information and intelligence sharing in relation to cyber threats and vulnerabilities; and
  • measures for the sound management of ICT third-party risk by financial entities (outsourcing arrangement).

• the contractual requirements concerning the outsourcing of ICT services; and

• the oversight framework for critical outsourced ICT functions.

Financial entities should implement the legal requirements according to the principle of proportionality by taking into account their size, the nature, scale and complexity of their services, activities and operation, and their overall risk profile.

DORA is expected to enter into force (by direct effect) in Q1 of 2023 and should be fully applicable by Q1 of 2025, after a two-year implementation period. The MFSA recommends that financial entities read DORA, begin their preparations and follow continuing developments.