Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector (“DORA” or the “Act”) became enforceable as of 17th January 2025.
DORA Resources
As highlighted in various DORA insights by our Firm over the last few months (including a very useful overview of DORA itself), DORA represents a significant milestone in aligning the financial services sector with the EU’s digital finance strategy, offering a regulatory framework for operational resilience and ICT risk management. Designed to bolster operational resilience against increasingly sophisticated cyber threats, DORA ushers in a new era of accountability for financial entities because it mandates obligations for oversight of critical third-party ICT providers, and incident reporting requirements, setting a unified standard for operational integrity across the EU. Entities have been preparing for the past months and should now be finalising their DORA compliance efforts. Our Firm had launched a DORA microsite with practical information and regular updates to assist in this regard.
Going Forward
Now, the focus shifts from awareness to implementation, adaptation, and enforcement, as stakeholders prepare to manage the practical realities of compliance with DORA.
One of the immediate challenges for financial entities lies in adhering to the new policies which were amended to match DORA’s requirements. Article 5 of the Act requires the establishment of a proportional, and documented framework for ICT risk management, which must be continuously tested and updated. Large institutions with sophisticated systems may find it easier to align with DORA’s standards, but smaller firms may need to allocate significant resources to achieve compliance. The law’s emphasis on proportionality ensures some flexibility, but it is clear that operational resilience is now a non-negotiable standard. Moreover, ensuring continuous alignment with DORA obligations for third-party oversight and incident reporting will be a key element to maintain ongoing compliance with the legal framework which aims to protect the EU financial system’s cyberspace.
Looking ahead, several legal considerations emerge as financial entities and regulators prepare for the full impact of DORA. DORA’s provisions must be harmonised with other EU regulations, including MiFID II, the General Data Protection Regulation (‘GDPR’) and the Network and Information Security Directive (‘NIS2’) to avoid overlaps and conflicts. This integration is particularly important for multinational entities operating across several jurisdictions, as regulatory fragmentation could undermine the uniformity DORA seeks to achieve.
DORA Requirements in Brief
DORA’s Articles 15 and 16, which mandate continuous monitoring and testing, implicitly require financial entities to remain agile and forward-looking.
DORA also opens the door for global regulatory alignment, particularly given the international nature of cyber risks and ICT service dependencies.
Third-party risk management represents another pillar of DORA’s framework, as articulated in Title V of DORA (Articles 28-44). DORA mandates the method of selection and monitoring of critical ICT service providers, placing particular emphasis on contractual provisions that facilitate regulatory oversight. As the ESAs (i.e., ESMA, EBA and EIOPA) continue to issue guidelines, the Regulatory Technical Standards (RTS) remain the primary tool for ensuring adherence to DORA obligations. Financial entities must ensure their third-party arrangements remain adaptable especially for entities heavily reliant on cloud services. The underlying legal principle is that outsourced ICT solutions have the potential to cause disruptions that extend beyond individual organisations and could jeopardise systemic stability as a whole.
Compliance officers and personnel who are entrusted with ensuring compliance with DORA should also focus on correct incident reporting requirements. DORA introduced a level of immediacy that may challenge even the most prepared entities. Articles 17 through 19 of DORA establish a framework for classifying and reporting ICT-related incidents, requiring major incidents to be reported without undue delay. Firms must utilise real-time incident management systems that align with DORA timelines. This obligation is further exacerbated by the need to harmonise DORA’s incident reporting requirements with those of other regulatory frameworks, including the GDPR and NIS2, should these also be applicable.
With DORA being a directly-applicable EU regulation, there can be no deviations through transposition, hence, national competent authorities (‘NCAs’) will play a pivotal role in ensuring compliance with DORA. A key aspect of the supervisory approach by the Malta Financial Services Authority (“MFSA”)(i.e., Malta’s NCA) will be maintaining proportionality, ensuring that smaller entities are not disproportionately burdened while still holding them accountable to DORA’s objectives.
While DORA compliance will certainly require the ongoing deployment of resources, the benefits of a resilient operational framework are clear. By prioritising gap analyses, engaging with regulators, and investing in ICT infrastructure and expertise, financial entities can turn regulatory compliance into a strategic asset. DORA is not merely a compliance exercise; it is an opportunity to build a robust digital foundation for long-term cyber operational excellence across the EU’s digital finance ecosystem.
This document does not purport to give legal, financial or tax advice. Should you require further information or legal assistance, please do not hesitate to contact the DORA team on: dora@mamotcv.com