DORA is a regulation (Regulation (EU) 2022/2554) introduced by the European Commission aimed at improving operational resilience in the European financial sector, particularly in the context of the security of network and information systems on which the financial sector relies in order to operate. DORA adds rules for the handling of ICT-related security incidents and improving the operational resilience of financial sector digital systems. Broadly speaking, DORA applies to “financial entities”, a term that includes banks.
What is the Digital Operational Resilience Act (DORA)?
This regulation addresses critical areas, including:
Why were third party providers included in the scope of the DORA regulation?
I am an ICT service provider in the supply chain - how will DORA impact me?
In particular, DORA sets out certain prescriptive contractual requirements that must be met in all contracts under which financial entities receive “ICT services” from third parties (“ICT services” in this context covers all digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider). There are also additional contractual requirements that must be met in contracts with third parties under which financial entities receive “ICT services” that support their critical or important functions.
As you are rendering ICT services to a financial entity falling within the application of DORA, it is necessary to ensure the relevant contract(s) governing these services address all the required contractual provisions as stipulated by DORA.
How long do financial institutions have to implement the DORA Regulations?
What are the next steps?
Alternatively, contact:
T: UK: +44 (0) 203 375 8624
T: SA: +27 (0) 21 100 3140
info@cognialaw.com
www.cognialaw.com
