The Dora Regulation: Entry into force and application in Europe

Financial institutions, including banks, financial institutions, insurance companies and reinsurers will have a new Regulation tomorrow. The Dora Regulation that came into force in 2023 and will be applicable this Friday, January 17, aims to establish a digital operational resilience framework. This will ensure that the entire financial ecosystem is protected against digital risks such as cyberattacks or technological failures. 

When does DORA go into effect?

We go back to 16 January 2023 when Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 establishing a framework to strengthen the digital operational resilience of the financial sector in the European Union or, in other words, DORA (Digital Operational Resilience Act) came into force.  However, Friday, January 17, 2025 is already the date on which it is fully applicable in the Europe of 27, that is, in Spain, Germany, Belgium, Croatia, Denmark, France, Germany, Ireland, Latvia, Luxembourg, the Netherlands, Sweden, Bulgaria, Slovakia, Estonia, Greece, Malta, Poland, the Czech Republic, Austria, Cyprus, Slovenia, Finland, Hungary, Italy, Lithuania, Portugal and Romania.

What is the DORA Regulation?

The DORA Regulation that came into force in 2023 and will be applicable from January 17, 2025 is a European Union regulation designed to strengthen digital operational resilience in the financial sector, but what are we talking about when we refer to digital operational resilience? 

Well, the digital operational resilience of a financial institution is its ability to build, protect and maintain the integrity and reliability of its operations, which includes ensuring, both by its own means and with the help of external technology service providers, that all the tools and systems necessary to protect its networks and information are in good condition. 

Thus, financial institutions can continue to offer financial services in a secure and quality manner, even when unexpected interruptions or problems occur, such as cyberattacks or technological failures.

Who has to comply with DORA?

The subjects obliged to the DORA Regulation since its entry into force in 2023 are:

1. Financial Institutions, a term under which DORA includes:

• Credit institutions.
• Payment institutions.
• Account Information Service Providers.
• Electronic money institutions.
• Investment services firms.
• Authorised crypto-asset service providers. 
• Central securities depositories.
• Central counterparties.
• Trading venues.
• Transaction records.
• Alternative investment fund managers. 
• Management companies . 
• Data Supply Service Providers. 
• Insurance and reinsurance companies. 
• Insurance, reinsurance and complementary insurance intermediaries. 
• Employment pension funds. 
• Credit rating agencies.
• Administrators of crucial benchmarks.
• Crowdfunding service providers.
• Securitization records. 

2. ICT (Information and Communication Technology) providers. The Regulation covers a wide range of third-party ICT service providers, including cloud computing service providers, software development and/or deployment providers and companies, data analytics service providers and data centre service providers.

Furthermore, in light of developments in the payment services market, payment service ecosystem participants providing payment processing activities or operating infrastructure should also be considered as ICT third-party service providers under DORA.

Why are ICT Providers included?

The objective is to include all these financial institutions and the ICT service providers of the above, and to ensure that the entire financial ecosystem is protected against digital risks, recognizing that vulnerabilities can arise not only within an institution, but also through third-party providers.

In this regard, and taking into account the potential systemic risk posed by increased outsourcing practices and the concentration of third parties in the ICT sector, DORA considers that it is necessary to establish an appropriate supervisory framework to allow for continuous monitoring of the activities of ICT third-party service providers,  fundamentally, and this is what DORA highlights, that they are essential for financial institutions.  

This obliges financial institutions to apply a proportionate approach to monitoring risks arising at the level of ICT third-party service providers, taking into account the nature, scale, complexity and importance of their ICT-related dependencies, the essential nature or importance of the services;  processes or functions, subject to contractual agreements and, ultimately, on the basis of a careful assessment of any potential consequences for the continuity and quality of financial services. In order to regularly assess and monitor the ICT third-party service provider's ability to securely provide services to the financial institution without adversely affecting the financial institution's digital operational resilience capacity, a number of key contractual elements should be harmonised with those providers.  

What does the DORA Regulation imply from its entry into force and subsequent application?

As indicated by the National Cybersecurity Institute of Spain, the DORA Regulation establishes specific requirements in four main domains:

1. ICT Risk Management and Governance: Financial institutions must implement solid frameworks to manage the risks associated with information and communication technologies. This involves identifying and classifying key assets, conducting ongoing risk assessments, and establishing appropriate cybersecurity measures. The entity's management will be responsible for defining strategies to manage these risks and could face personal consequences if regulations are not complied with.
2. Incident Reporting: Systems are required to monitor, manage, record, and classify ICT-related incidents. Institutions must inform the authorities, customers and partners affected about serious incidents, providing detailed reports in different phases (initial, intermediate and final). Relevant incidents can also be reported voluntarily.
3. Digital Resilience and Threat Sharing Testing: Financial institutions should conduct regular testing to assess the strength of their ICT systems and detect vulnerabilities. These tests include scenario simulations, vulnerability assessments, and penetration tests specific to the financial sector. Likewise, the exchange of information and intelligence on cyber threats and vulnerabilities between entities in the sector is encouraged.
4. Third-Party Risk Management: Entities must take an active role in managing the risks associated with third-party ICT service providers. This includes establishing clear contracts and mapping dependencies within the supply chain. Critical suppliers will be under direct supervision and must comply with the standards set by DORA.
    

Who is the Competent Supervisory Authority?

In Spain, it is generally the Bank of Spain. This rule is excepted in the case of companies providing crypto-asset services, in which case, the competent authority is the National Securities Market Commission, in accordance with the provisions of the MICA Regulation and the Travel Rule.

What penalties does the DORA Regulation impose?

The DORA Regulation states that penalties for non-compliance can vary in severity and amount, and that they must be effective, proportionate and dissuasive. However, it does not detail the specific types of penalties or the amounts of fines or operational restrictions that may be imposed. Consequently, and in view of the new panorama that comes into force on the 17th, it will be observed with caution what scale the supervisor will establish against potential infringements and, consequently, their corresponding sanctions.

At CECA MAGÁN Abogados we can help these financial institutions and ICT companies by complying with the standards required  by the DORA Regulation that will be applicable from 17 January 2025. You can contact our team here.

Ramón Mesonero-Romanos, Joaquim Matinero e Ingrid González

Blochchain, digital assets and Web 3 area and data protection and digital law area.