DORA

The European regulation no. 2022/2554 of December 14, 2022 on digital operational resilience for the financial sector (abbreviated as DORA) has important implications for actors in the financial sector but also on IT vendors offering critical services.

What is DORA?

DORA will become applicable as of Jan. 17, 2025. The purpose of DORA is to strengthen the operational resilience of EU financial service providers and prevent and mitigate cyber incidents. It applies to credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, crypto asset service providers and asset-referenced token (MiCar) issuers, trading platforms, data reporting service providers, insurance companies, insurance intermediaries providers of crowdfunding services, etc.

Moreover, by January 2024, European financial supervisory authorities will develop additional technical standards that will complement DORA. These standards will describe in more detail what measures financial entities must take to comply with DORA. These standards will be published by the European Commission in 2024 so that financial entities and their IT service providers can prepare to make their operations DORA-compliant.

DORA is additional regulation that comes on top of NIS2. Thus, financial entities and their IT service providers will have to conform to NIS2, as lex generalis, and DORA, as lex specialis.

Impact of DORA on IT and cloud vendors

As DORA seeks to prevent and mitigate cyber incidents within the financial sector, the assistance of IT service providers is crucial. In particular, this may include providers of cloud computing services, software, data analytics services and data center service providers. DORA obligations will necessarily be passed on to these IT service providers. Incidentally, DORA also creates an entirely new supervisory framework for critical IT service providers relied upon by financial entities.

This will therefore mean that many contracts between financial institutions and IT service providers will have to be renegotiated and new contracts will have to take account of DORA. In particular, one can think of SAAS and cloud contracts but also service level agreements.

DORA introduces a framework consisting of 5 pillars: (i) ICT risk management, (ii) the reporting of serious ICT incidents, (iii) the testing of digital operational resilience, (iv) the sharing of information regarding cyber threats and (v) measures for the proper management of ICT risk from third-party providers.

The risks associated with relying on IT service providers must be explicitly included in the IT risk management framework. Financial entities are required to adopt a third-party provider risk strategy and must maintain an information record of all contracts with their IT service providers. DORA also includes requirements for ordering new IT services, for terminating those IT services as well as key contractual provisions that must be included in contracts with IT service providers.

Do you have questions about DORA? Our specialized attorneys assist financial entities and IT service providers in the (re)negotiation of IT service contracts. Please feel free to contact us.

What is DORA?

Impact of DORA on IT and cloud vendors

Contact

Recent posts

Can Belgium still introduce its own AI rules?

Where does the court have jurisdiction in cases of mass damage caused by Big Tech?

Is your commercial cooperation agreement null and void in the event of tacit renewal?

E-invoicing from 2026: the end of invoice disputes or a new legal trap?

Errors in JustRestart: Is the software vendor liable for delays in your case?

May you call a drink ‘non-alcoholic gin’?

Is a goodwill fee due upon termination of the commercial agency due to exceptional circumstances?

Is the bank liable for phishing if I passed on the codes myself?

Topics

Topics

ICT Legal Guide

Contact details

Where to find us

Disclaimers