On November 10th, 2022, the European Parliament opted for stricter cybersecurity rules on digital asset providers and other financial institutions in a 612-18 vote.

On November 28th, 2022, the Council of the European Union adopted the Digital Operational Resilience Act (DORA).

First published in September 2020 as part of the EU’s Digital Finance Package (DFP), the Digital Operational Resilience Act, or DORA, is a proposed regulation addressing the topic of digital operational resilience for financial services in the European Union, through the introduction of requirements on Information and Communication Technology (ICT) risk management, reporting, testing and ICT third- party risk.

In contrast to other EU legislation in the field of cybersecurity (most notably the GDPR and the Directive on Security of Network and Information Systems, or NIS Directive), DORA provides full clarity on the requirements designed to mitigate risks such as cyberattacks or cyber fraud, arising from the increasing reliance of Financial Services Entities on ICT systems and third-party service providers critical to the supply chain supporting the European financial sector — regardless of whether that enterprise or service is based inside the EU. However, the NIS Directive continues to apply. DORA addresses possible overlaps through a lex specialis exception.

The new regulation covers:
* Financial Entities regulated at Union level, namely financial institutions, payment institutions, electronic money institutions, investment firms, crowdfunding service providers.
* Third-Party Service Providers including cloud platforms, data analytics services and data centers.

Crypto firms such as wallet providers will be regulated under the EU Markets in Crypto Assets Regulation (MiCA)—a law originally proposed as a package along with DORA.

Financial institutions or ICT providers operating outside the EU are not subject to the requirements of the Regulation. However, if the firm is a financial institution or ICT service provider serving the EU financial sector, it will likely be subject to DORA.

Financial Institutions will be required to adopt appropriate measures around:
* ICT risk management: FI are – among others – required to set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk, to set-up protection and prevention measures.
* ICT incident management and reporting: FI will have to design systems to monitor, identify and report incidents to the relevant competent authorities.
* Digital operational resilience testing: testing requirements include vulnerability and network security assessments, gap analyses and software solution testing.
* Sound management of ICT third party risk: FI will also have to assess and document all potential risks associated with their external ICT service providers and ensure that their contractual agreements specify their legal obligations under the new legislation and applicable financial services legislation.

Once the DORA proposal has been formally adopted the relevant European supervisory authorities – mainly the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) – will develop regulatory technical standards that all financial services institutions will have to comply with. National competent authorities will be responsible for supervising compliance. Firms will face a relatively tight 24-month implementation period starting 20 days after publication in the Official Journal of the European Union.

The Editorial Team