The EU’s Digital Operational Resilience Act (DORA) has become applicable from 17 January 2025 onwards. Designed to enhance the digital operational resilience of financial entities in the EU, the regulation aims to address the growing ICT risks which pose vulnerabilities to financial systems.
Under DORA, financial entities are obligated to establish a comprehensive ICT risk management framework. This includes strategies, policies, and procedures to protect information and ICT assets, ensuring the security and resilience of ICT systems, as well as processes for managing ICT-related incidents. This involves classifying incidents based on their impact and reporting major incidents, in the case of Finnish financial entities, to the Finnish Financial Supervisory Authority (FIN-FSA).
Financial entities must also maintain a register of their contractual arrangements with ICT service providers, which register may be requested by the supervisory authority. Regular testing of ICT systems and the risk management framework is required to identify vulnerabilities and ensure resilience, to establish consistency and align practices between Member States. Most financial entities (other than smaller entities) are also required to perform threat-led penetration testing (TLPT) of their critical and important functions at least every three years.
In addition to financial entities, DORA also has implications for their ICT service providers. Financial entities may only enter into contractual arrangements with ICT service providers that comply with appropriate security standards, and new contractual arrangements are always subject to due diligence and concentration risk assessments by the financial entity.
Furthermore, DORA sets out specific requirements for contractual provisions between financial entities and their ICT service providers, which requirements include provisions on subcontracting, integrity of data, service levels and termination rights. Requirements for contractual provisions are more rigorous where the ICT services support critical or important functions of a financial entity, such as an obligation for such service providers to participate in TLPT, and audit rights for the financial entities.
Certain ICT service providers will annually be designated by the European Supervisory Authorities as critical ICT service providers based on their systemic impact and importance to financial entities, and in accordance with the criteria set out in DORA. Such critical ICT service providers will be subject to an extensive oversight framework. The FIN-FSA estimates that the first critical ICT service providers will be designated in the autumn of 2025.
The implementation of DORA and the collection of technical standards thereunder have demanded significant efforts by financial entities. Ongoing compliance with the regulation will require continued work both on the side of financial entities and their ICT service providers. We are happy to discuss the implications of DORA. For more information, please contact Ada Klaile, Julianna Havunen, and Salla Suominen.