Legge sulla resilienza operativa digitale (DORA)
Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA), is a comprehensive framework aimed at ensuring the financial sector in the EU can withstand and recover from ICT-related disruptions. Key sections include requirements for ICT rischioIl rischio Si intende il potenziale di perdita o di perturbazione causato da un incidente e deve essere espresso come una combinazione dell'entità di tale perdita o perturbazione e della probabilità che l'incidente si verifichi -. Definizione ai sensi dell'articolo 6 della direttiva (UE) 2022/2555 (direttiva NIS2) management, incidenteIncidente Si intende un evento che compromette la disponibilità, l'autenticità, l'integrità o la riservatezza dei dati memorizzati, trasmessi o elaborati o dei servizi offerti o accessibili tramite i sistemi di rete e di informazione -. Definizione ai sensi dell'articolo 6 della direttiva (UE) 2022/2555 (direttiva NIS2) reporting, operational resilience testing, and third-party risk management. DORA also establishes a regulatory oversight framework for critical third-party Servizio ICTServizio ICT Si intende un servizio che consiste interamente o principalmente nella trasmissione, memorizzazione, recupero o elaborazione di informazioni mediante reti e sistemi informativi - Definizione ai sensi dell'articolo 2, punto (13), del Regolamento (UE) 2019/881 providers. It consolidates and updates ICT risk rules across various regulations, promoting consistency, legal certainty, and reduced compliance costs for financial entities operating across borders.
Struttura e sezioni chiave
- General Provisions. This section outlines the scope and objectives of DORA, which applies to a broad range of financial entities, including banks, investment firms, and payment institutions. It defines key terms and establishes the legal foundation for the regulation, emphasizing the need for a uniform approach to digital resilience across the EU.
- ICT Risk Management. This section mandates that financial entities implement comprehensive ICT risk management frameworks. These frameworks must cover all aspects of ICT risk, including identification, protection, detection, response, and recovery. Entities are required to regularly review and update their risk management strategies to address evolving threats.
- ICT-Related Incident Reporting. DORA requires financial institutions to establish clear procedures for reporting significant ICT-related incidents. This includes incidents that have a substantial impact on the entitàEntità Persona fisica o giuridica creata e riconosciuta come tale dalla legislazione nazionale del suo luogo di stabilimento, che può, agendo in nome proprio, esercitare diritti ed essere soggetta a obblighi -. Definizione ai sensi dell'articolo 6 della direttiva (UE) 2022/2555 (direttiva NIS2)’s operations, financial stability, or the protection of clients’ funds and data. Timely reporting to competent authorities is crucial for coordinated responses at the EU level.
- Digital Operational Resilience Testing
Financial entities must conduct regular digital operational resilience testing, including threat-led penetration testing (TLPT). The goal is to assess the effectiveness of their ICT risk management and preparedness for potential cyber threats. Entities identified as critical must undergo more stringent testing under the supervision of competent authorities. - Information Sharing. DORA encourages the sharing of information on cyber threats and vulnerabilities among financial entities. This cooperation aims to enhance collective resilience by enabling entities to learn from each other’s experiences and better prepare for potential threats.
- Management of Third-Party Risks. This section regulates the use of third-party ICT service providers, recognizing the risks associated with outsourcing critical functions. Financial entities are required to monitor and manage risks arising from third-party providers, ensuring that these providers meet strict resilience standards. Critical ICT providers may also be subject to direct oversight by EU regulators.
- Supervisory Measures and Penalties. DORA grants supervisory authorities the power to enforce compliance and impose penalties for breaches of the regulation. This section outlines the supervisory framework, detailing the powers of national and European authorities to ensure that financial entities adhere to the requirements. Penalties can be significant, reflecting the seriousness of non-compliance.
The regulation aims to create a harmonized approach to digital operational resilience, ensuring that financial systems in the EU are robust, secure, and capable of withstanding ICT-related disruptions.