Loi sur la résilience opérationnelle numérique (DORA)
Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA), is a comprehensive framework aimed at ensuring the financial sector in the EU can withstand and recover from ICT-related disruptions. Key sections include requirements for ICT risqueRisque désigne le potentiel de perte ou de perturbation causé par un incident et doit être exprimé comme une combinaison de l'ampleur de cette perte ou de cette perturbation et de la probabilité d'occurrence de l'incident. Définition selon l'article 6 de la directive (UE) 2022/2555 (directive NIS2) management, incidentIncident Un événement compromettant la disponibilité, l'authenticité, l'intégrité ou la confidentialité des données stockées, transmises ou traitées ou des services offerts par les réseaux et les systèmes d'information ou accessibles par leur intermédiaire. Définition selon l'article 6 de la directive (UE) 2022/2555 (directive NIS2) reporting, operational resilience testing, and third-party risk management. DORA also establishes a regulatory oversight framework for critical third-party Service TICService TIC Un service consistant entièrement ou principalement en la transmission, le stockage, l'extraction ou le traitement d'informations au moyen de réseaux et de systèmes d'information - Définition selon l'article 2, point (13), du règlement (UE) 2019/881. providers. It consolidates and updates ICT risk rules across various regulations, promoting consistency, legal certainty, and reduced compliance costs for financial entities operating across borders.
Structure et sections clés
- General Provisions. This section outlines the scope and objectives of DORA, which applies to a broad range of financial entities, including banks, investment firms, and payment institutions. It defines key terms and establishes the legal foundation for the regulation, emphasizing the need for a uniform approach to digital resilience across the EU.
- ICT Risk Management. This section mandates that financial entities implement comprehensive ICT risk management frameworks. These frameworks must cover all aspects of ICT risk, including identification, protection, detection, response, and recovery. Entities are required to regularly review and update their risk management strategies to address evolving threats.
- ICT-Related Incident Reporting. DORA requires financial institutions to establish clear procedures for reporting significant ICT-related incidents. This includes incidents that have a substantial impact on the entitéEntité Une personne physique ou morale créée et reconnue comme telle par le droit national de son lieu d'établissement, qui peut, en agissant sous son propre nom, exercer des droits et être soumise à des obligations. Définition selon l'article 6 de la directive (UE) 2022/2555 (directive NIS2)’s operations, financial stability, or the protection of clients’ funds and data. Timely reporting to competent authorities is crucial for coordinated responses at the EU level.
- Digital Operational Resilience Testing
Financial entities must conduct regular digital operational resilience testing, including threat-led penetration testing (TLPT). The goal is to assess the effectiveness of their ICT risk management and preparedness for potential cyber threats. Entities identified as critical must undergo more stringent testing under the supervision of competent authorities. - Information Sharing. DORA encourages the sharing of information on cyber threats and vulnerabilities among financial entities. This cooperation aims to enhance collective resilience by enabling entities to learn from each other’s experiences and better prepare for potential threats.
- Management of Third-Party Risks. This section regulates the use of third-party ICT service providers, recognizing the risks associated with outsourcing critical functions. Financial entities are required to monitor and manage risks arising from third-party providers, ensuring that these providers meet strict resilience standards. Critical ICT providers may also be subject to direct oversight by EU regulators.
- Supervisory Measures and Penalties. DORA grants supervisory authorities the power to enforce compliance and impose penalties for breaches of the regulation. This section outlines the supervisory framework, detailing the powers of national and European authorities to ensure that financial entities adhere to the requirements. Penalties can be significant, reflecting the seriousness of non-compliance.
The regulation aims to create a harmonized approach to digital operational resilience, ensuring that financial systems in the EU are robust, secure, and capable of withstanding ICT-related disruptions.