Digital Operational Resilience Act (DORA) adopted by Council of the EU
Following agreement in trilogue in May 2022, the Council formally adopted DORA on 28 November 2022.
DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector (such as banks, insurance companies and investment firms) as well as critical third parties which provide ICT (Information Communication Technologies)-related services to them, such as cloud platforms or data analytics services.
Key impacts on boards
Two points identified as impacting boards of financial entities are:
- Creation of a ICT risk management framework around a set of key principles and requirements for boards to determine risk tolerance
- Setting up EU-wide standards for digital operational resilience for companies to educate the board on how these tests are run
Member states should adopt relevant national law to apply DORA by end 2024 (24 months from entry into force, which is 20 days after publication in the EU Official Journal). EBA, ESMA and EIOPA will be developing related technical standards.
Digital finance: Council adopts Digital Operational Resilience Act – 28 November 2022
Nordic Board & Executive Advisory, 6 December 2022