Cybersecurity in the Financial Sector: EU’s Digital Operational Resilience Act Takes Effect

Beginning 17 January 2025, the Digital Operational Resilience Act (DORA) will apply to almost all EU financial entities, including banks, insurers and reinsurers, brokers , payment and electronic money institutions, investment firms, and crypto-asset service providers.

DORA requires in-scope organizations to comply with common rules and standards for the management of information and communication technology (ICT) risk, which relates broadly to risks arising in relation to the use of network and information systems.

Key pillars of DORA relate to:

• ICT risk management: Key obligations include cybersecurity governance and asset inventory, and reviewing or implementing certain key documents and processes such as an Information Security Policy and a Business Continuity Plan;
• Third-party ICT risk management: Vendors must undergo due diligence and extensive contracting obligations apply;
• Reporting of major ICT-related incidents: Which incidents need to be reported and the content of reporting must meet specific criteria, detailed in related guidance;
• Testing of digital operational resilience: Including thread-let penetration testing, in some cases; and
• Information and intelligence sharing: Voluntary sharing of cyber threat information and intelligence.

For in-scope financial entities, DORA’s impact goes far beyond the information security, IT or cybersecurity teams of financial institutions. It imposes requirements relating not only to security measures, but also to agreements with service providers, internal governance, and numerous other processes and policies. It also directly impacts management, which must now receive cyber training, and approve and oversee the ICT risk management framework (for more information, see EU Cyber Legislation Puts Emphasis on Board Responsibility).

DORA also applies directly to “critical” ICT service providers that will be designated by European Supervisory Authorities (ESAs). Furthermore, DORA applies indirectly to all ICT service providers providing services to financial entities within the scope of DORA.

Contracting with Service Providers for DORA Compliance

Organizations within the scope of DORA are required to ensure their contracts with ICT service providers include the contractual provisions in Article 30(2) DORA. Financial entities are required to impose additional contractual requirements in Article 30(3) DORA on ICT service providers that support a “critical or important” function of that financial entity.

Practically, many financial entities have already been updating their templates and their existing contracts with ICT service providers by negotiating DORA amendments to ensure their contracts meet the DORA requirements. Financial entities that have been required to comply with the outsourcing guidelines published by the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), or European Securities and Markets Authority (ESMA) may face fewer changes to their contracting processes. For other financial entities, ensuring compliance with DORA may represent a significant change to their ICT risk management, including their contracting and compliance processes.

Although many service providers who regularly deal with financial entities have prepared their standard DORA amendments, these may not always fully satisfy DORA or other regulatory requirements of in-scope financial entities. Conversely, service providers that wish to facilitate easier onboarding of new financial entities as clients may want to prepare a robust DORA Addendum and FAQ document, to help financial entities understand how the contract with the service provider (if on the service provider’s standard terms) complies with the DORA contractual requirements.

Organizations that face updating a large number of contracts have been adopting a strategic approach by prioritizing contracts that may present key risk to the financial entity.

In the future, we are likely to see DORA standard contractual clauses developed by regulators to facilitate contracting between financial entities and service providers. However, unlike in the data protection context for international transfers of personal data, the use of such standard contractual clauses is not expected to be mandatory.

Technical Standards

DORA is supplemented by a number of binding Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS):

The following standards are in force:

• RTS on ICT risk management framework
• RTS on the classification of ICT-related incidents and cyber threats
• RTS on the policy regarding contractual arrangements on the use of ICT services supporting critical or important functions
• ITS on the register of information on contractual arrangements

The following standard have been adopted by the European Commission, but are not yet in force:

• RTS on reporting major ICT-related incidents and significant cyber threats
• ITS on reporting major ICT-related incidents and significant cyber threats
• RTS on the harmonization of conditions enabling the conduct of the oversight activities
• RTS on the composition of the joint examination team (JET)

The following standards are awaiting adoption by the European Commission:

• RTS on threat-led penetration testing (TLPT)
• RTS on subcontracting ICT services supporting critical or important business functions

While not all of the RTS and ITS are in force yet, financial entities and ICT service providers have been using the versions published by the European Commission and ESAs to align their contracts and processes, to ensure they satisfy the applicable requirements without having to go through another re-papering exercise when all of the RTS and ITS officially take effect.

Implementation in Germany

The German Financial Supervisory Authority (BaFin) provides guidance on the implementation of DORA on its DORA website (in German only).

BaFin has issued a non-binding Supervisory Notice on the implementation of DORA in ICT risk management and ICT third-party risk management. It considers BaFin guidance that existed prior to DORA (the circulars Banking Supervisory Requirements for IT (BAIT) and Insurance Supervisory Requirements for IT (VAIT)), and compares and contrasts DORA and subsequent guidance to help financial entities fill the gaps. This new BaFin guidance may also be helpful for capital management companies and payment and e-money institutions, given that the BaFin guidance applying to these institutions (circulars KAIT and ZAIT, respectively) had similar requirements to the key circulars on which the Supervisory Notice is focused (BAIT and VAIT).  

To avoid duplicate regulation, BaFin has rescinded its circulars KAIT, VAIT and ZAIT, effective 16 January 2025. BAIT, in turn, will only continue to apply to financial institutions that are not subject to DORA, and will be completely repealed on 31 December 2026, when such institutions must comply with DORA by virtue of German law.

Certain aspects of DORA were complemented in Germany by the Financial Market Digitization Act, which also complements the Markets in Crypto-Assets Regulation and the revised Transfer of Funds Regulation. (For more information, see German Parliament Passes Act on the Digitalization of Financial Markets.)

Developments in the United Kingdom

Post-Brexit, the European Union’s key legislative measures on strengthening cybersecurity and digital operational resilience – DORA, NIS2 and the Cyber Resilience Act (read our Legal Update for more details) – are not directly applicable in the United Kingdom.

However, the United Kingdom has also worked towards strengthening operational resilience in the UK financial services sector:

• In March 2021, the UK Financial Conduct Authority, Prudential Regulation Authority and Bank of England published their PS21/3 on Building operational resilience with a compliance deadline of 31 March 2025; and
• In November 2024, the UK Financial Conduct Authority, Prudential Regulation Authority and Bank of England published their PS24/16 on Operational resilience: Critical third parties to the UK financial sector which took effect 1 January 2025, and allows HM Treasure to designate critical third parties which are required to comply with specific operational risk and resilience requirements (similar to critical ICT service providers under DORA).

EU Rules and their Potentially Global Impact

EU subsidiaries of global financial entities will be directly subject to DORA. In addition, DORA may have indirect impact on non-EU subsidiaries of global organizations, depending on how the procurement of key data and digital services is organized – for example, due to DORA contracting requirements flowing down the supply chain.

For more information, please contact the authors or other members of our global interdisciplinary team, who have been advising both financial entities and service providers on DORA applicability and compliance.