DORA – EU members get ready!

We still have 11 months before DORA, the Digital Operational Resilience Act, is implemented across European financial institutions.

A public consultation on the proposals for new standards for digital risk management in the European financial market was launched in December 2023.

In 2022, the European Commission officially adopted the DORA, a landmark regulation outlined in the first draft published in September 2020 as part of the comprehensive Digital Finance Package. Scheduled to come into full effect on January 17, 2025, a transitional phase is currently underway to enable entities subject to the DORA to adequately prepare for its effectivity. Notably, DORA holds a binding and directly applicable status across all Member States of the European Union, owing to the distinctive nature of European regulation.

During this transitional phase, DORA mandates the European Supervisory Authorities (ESAs) to prepare jointly, through the Joint Committee, a set of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) further delineating and often supplementing DORA. Drafts of a first set of policy products was released on 19 June 2023 and a second one on 8 December 2023. The public consultation regarding the first batch ran until 11 September 2023 and in January 2024, the first set of policy products were submitted to the European Commission, the second batch will follow with a deadline of the 17 July 2024, whereas the public consultation on the second batch will last until 4 March 2024.

DORA's application is extensive, encompassing financial entities such as credit institutions, payment institutions, insurance companies, securities dealers, investment firms, insurance intermediaries, and cryptocurrency dealers. Consequently, we are engaged in reviewing the internal processes of many clients, recognizing that DORA, while building on existing rules, significantly expands regulatory coverage into previously unregulated areas.

DORA comprises four integral parts: the ICT risk management framework, ICT incidents, resilience testing, and third-party risk management. The ICT risk management framework, serving as the cornerstone for obligated entities, requires a comprehensive rework and expansion in response to DORA's enforcement. From our experiences and results that financial entities have adapted - to varying degrees and quality - elements of this framework are concerning in relation to existing cyber risk protection. However, with DORA's effectivity, these elements will necessitate meticulous reworking and expansion, evolving into a robust and consistent protective system capable of mitigating all ICT risks.

A fundamental shift will also be required in the collaboration with ICT service providers, given that DORA introduces new obligations and requirements for financial subjects. These include selecting, contracting, monitoring and reporting relevant information about ICT service providers to supervisory authorities, and, if necessary, terminating cooperation to safeguard the activities of financial subjects.

Undoubtedly, these changes pose significant challenges for our clients, not only in terms of the requisite human resources — a direct stipulation of the DORA mandating the creation of new positions with defined lines of responsibility — but also in terms of necessary financial expenditure. Recognizing the financial strain, many obligations defined by the DORA can be automated using specialized software tools. However, the acquisition and implementation of these tools often entail considerable costs within an ICT risk management framework.

In the Czech Republic, compliance with the obligations outlined in the DORA will be supervised by the Czech National Bank, wielding the authority to impose fines of up to EUR 2 million for breaches of these obligations.

Considering these challenges, it's crucial to view DORA not as a threat, but as an opportunity. It presents a chance to adapt internal processes to evolving threats, ultimately leading to the provision of a safer and improved service to the clients. At Greats, we have assembled a team of experienced advisors ready to navigate you through DORA. We are well-equipped to deal with the intricacies of ICT risk management and would be delighted to address any inquiries you may have in more detail.

For more information on DORA and related issues, please contact Katerina.stanikova@greats.cz

About Greats advokáti:

As AGA’s representative law firm in the Czech Republic, Greats offers primarily financial legal services plus business support to domestic and international clients, backed by decades of experience, particularly in asset/fund management.

Well versed to representing foreign entities in negotiations with the Czech National Bank, partners at the firm also provide legal services to financial institutions operating primarily in Europe, and under European regulations (e.g., MIFiD, AIFMD, ELTIF, MiCA, DORA, SFDR, GDPR, CRD etc.)

Greats also provides specialist legal services to architectural studios, supporting them in this niche sector with tenders for public contracts, negotiations with public procurers and private investors, etc. Attorneys also advise on labor and corporate law, real estate and IP and IT matters.