Why is DORA important?
The Digital Operational Resilience Act (DORA) represents groundbreaking legislation by the European Union aimed at strengthening the financial sector against cyber threats. Starting in January 2025, entities within its scope, primarily financial institutions, will be required to comply. The regulation also extends to their IT service providers.
The regulation came into effect in early 2023, and from January 17, 2025, mandatory entities must fully adhere to its requirements.
What does DORA bring?
Broad scope of application
The regulation applies to banks, insurers, payment service providers, investment funds, and other financial institutions. It also impacts their IT service providers, ensuring all market participants meet high-security standards.
Top management responsibilities
DORA emphasizes the accountability of top management for managing risks in Information and Communication Technology (ICT). Managers must approve cyber resilience strategies and oversee their implementation across the organization.
Third-party risk management
Financial institutions will need to perform due diligence on their IT service providers and ensure contractual cooperation during crisis situations.
Testing and monitoring
Organizations must test their digital resilience, which often includes conducting regular penetration tests. Additionally, they need monitoring systems in place to quickly detect potential issues.
Incident response plans
DORA mandates detailed disaster recovery plans to ensure uninterrupted operations, even in the face of cyberattacks.
How to determine if DORA applies to you as a financial entity?
The quickest way to confirm is look into DORA. Specifically to Article 2, Paragraph 1, Subsections (a) to (t). These provisions outline whether you fall under the "financial entity" category. Examples include credit institutions, payment service providers, investment firms, or managers of alternative investment funds.
Paragraph 3 of Article 2 lists exceptions – cases where DORA does not apply, even if it might initially seem so. For instance, occupational pension institutions that run pension plans with fewer than 15 participants are exempt.
If you hold a license from the Czech National Bank (CNB), it's likely DORA applies to you as a financial entity. However, exceptions exist, so always consult the regulation for specifics.
Should you focus on DORA while preparing for the new Cybersecurity Act?
In short: YES! DORA takes precedence for financial entities. If both DORA and the new cybersecurity law regulate the same obligation, DORA’s requirements apply.
For example, incident reporting to the National Cyber and Information Security Agency under the new cybersecurity law and reporting incidents to the CNB under DORA will likely need to be done separately. This is because the two regulations set different reporting criteria. However, guidance from the authorities is expected to clarify how these requirements will align.
