Financial services entities have become used to complying with intense cybersecurity requirements, but the bar will be raised on 17 January 2025 when the EU Digital Operational Resilience Act (DORA) takes effect. Introducing management liability, cybersecurity risk management controls, and mandatory contracting elements applicable to information and communication technology (ICT) service providers, DORA will have a lot in its backpack to unpack.
DORA, which will have direct effect in all EU member states for in-scope financial services firms (Firms) casts a wide net capturing not only banks, investment firms, and credit and payment institutions, but also trading venues and repositories, crypto service providers and issuers, credit rating agencies, and insurers.
A large part of DORA’s ‘digital operational resilience’ focuses on the ability of Firms to withstand, respond to, and recover from all types of ICT disruptions and cyber threats – making cybersecurity a key piece of the puzzle. Where Firms find themselves under the rule of multiple cybersecurity regimes, such as NIS2 as well as the Critical Entities Resilience Directive (CER), DORA takes precedence where there is…
