Philipp Rosenauer
Partner Legal, PwC Switzerland
On 10 May, a political agreement was finally reached on the Digital Operational Resilience Act (DORA). We’ve summarised the most important aspects for you.
The Digital Operational Resilience Act (DORA) was adopted by the Commission on 24 September 2020. DORA sets out uniform requirements for the security of network and information system for the financial industry, as well as for critical third parties which provide information communication technology (ICT) services to them. A provisional political agreement on DORA was reached on 10 May 2022.
DORA’s purpose is to create legal certainty in relation to the Network Information System Directive (NIS and NIS2), a policy effective since 2016 which aimed to increase the overall level of European cyber-resilience, but which has proved to be suboptimal for the financial services industry.
NIS had three main flaws that affected its applicability to financial services: (i) designation of a critical entity was set with the member states, with each having discretion over the definition of criticality; (ii) designation wasn’t made public, which created challenges around the disclosure obligations of listed companies; (iii) non-disclosure could potentially create tension between the obligations by the national NIS supervisor (or multiple NIS supervisors in different EU Member States) and the financial institution’s prudential supervisor.
To address these problems, DORA was designed by DG FISMA as a lex specialis that supersedes the NIS Directive.
In summary, DORA consists of two parts:
The co-legislators reached a provisional political agreement on the Digital Operational Resilience Act on 10 May. Please find below a read-out from the European Parliament:
On scope:
On the ICT risks management framework:
On ICT-related incident reporting:
On testing digital operational resilience:
On oversight framework:
On review clause and application date:
Co-legislators agreed that DORA provisions should be applicable to those entities that are subject to authorisation regime and supervision in MiCA. The technical team was mandated to align DORA scope with an eventual preliminary agreement on MiCA.
Adrien Tharin
Director | Head of FinTech, Blockchain and Digital Assets, PwC Switzerland
Tel: +41 58 792 92 24
Anouk Geene
Senior Associate | Data Privacy | ICT | Implementationᐩ , PwC Switzerland
Tel: +41 58 792 44 00
Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 49 64
Associate | Data Privacy | ICT | Implementationᐩ, PwC Switzerland
Tel: +41 58 792 43 06
#social#