Wet Digitale Operationele Veerkracht (DORA)
Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA), is a comprehensive framework aimed at ensuring the financial sector in the EU can withstand and recover from ICT-related disruptions. Key sections include requirements for ICT risicoRisico Betekent de kans op verlies of verstoring veroorzaakt door een incident en moet worden uitgedrukt als een combinatie van de omvang van een dergelijk verlies of verstoring en de waarschijnlijkheid dat het incident zich voordoet. Definitie volgens artikel 6 van Richtlijn (EU) 2022/2555 (NIS2-richtlijn) management, incidentIncident Een gebeurtenis die de beschikbaarheid, authenticiteit, integriteit of vertrouwelijkheid in gevaar brengt van opgeslagen, verzonden of verwerkte gegevens of van de diensten die worden aangeboden door of toegankelijk zijn via netwerk- en informatiesystemen. Definitie volgens artikel 6 van Richtlijn (EU) 2022/2555 (NIS2-richtlijn) reporting, operational resilience testing, and third-party risk management. DORA also establishes a regulatory oversight framework for critical third-party ICT-dienstICT-dienst Een dienst die geheel of hoofdzakelijk bestaat uit het overbrengen, opslaan, opvragen of verwerken van informatie door middel van netwerken en informatiesystemen - Definitie overeenkomstig artikel 2, punt 13, van Verordening (EU) 2019/881. providers. It consolidates and updates ICT risk rules across various regulations, promoting consistency, legal certainty, and reduced compliance costs for financial entities operating across borders.
Structuur en hoofdstukken
- General Provisions. This section outlines the scope and objectives of DORA, which applies to a broad range of financial entities, including banks, investment firms, and payment institutions. It defines key terms and establishes the legal foundation for the regulation, emphasizing the need for a uniform approach to digital resilience across the EU.
- ICT Risk Management. This section mandates that financial entities implement comprehensive ICT risk management frameworks. These frameworks must cover all aspects of ICT risk, including identification, protection, detection, response, and recovery. Entities are required to regularly review and update their risk management strategies to address evolving threats.
- ICT-Related Incident Reporting. DORA requires financial institutions to establish clear procedures for reporting significant ICT-related incidents. This includes incidents that have a substantial impact on the entiteitEntiteit Een natuurlijke persoon of rechtspersoon die als zodanig is opgericht en erkend door het nationale recht van zijn vestigingsplaats en die in eigen naam rechten kan uitoefenen en verplichtingen kan hebben. Definitie volgens artikel 6 van Richtlijn (EU) 2022/2555 (NIS2-richtlijn)’s operations, financial stability, or the protection of clients’ funds and data. Timely reporting to competent authorities is crucial for coordinated responses at the EU level.
- Digital Operational Resilience Testing
Financial entities must conduct regular digital operational resilience testing, including threat-led penetration testing (TLPT). The goal is to assess the effectiveness of their ICT risk management and preparedness for potential cyber threats. Entities identified as critical must undergo more stringent testing under the supervision of competent authorities. - Information Sharing. DORA encourages the sharing of information on cyber threats and vulnerabilities among financial entities. This cooperation aims to enhance collective resilience by enabling entities to learn from each other’s experiences and better prepare for potential threats.
- Management of Third-Party Risks. This section regulates the use of third-party ICT service providers, recognizing the risks associated with outsourcing critical functions. Financial entities are required to monitor and manage risks arising from third-party providers, ensuring that these providers meet strict resilience standards. Critical ICT providers may also be subject to direct oversight by EU regulators.
- Supervisory Measures and Penalties. DORA grants supervisory authorities the power to enforce compliance and impose penalties for breaches of the regulation. This section outlines the supervisory framework, detailing the powers of national and European authorities to ensure that financial entities adhere to the requirements. Penalties can be significant, reflecting the seriousness of non-compliance.
The regulation aims to create a harmonized approach to digital operational resilience, ensuring that financial systems in the EU are robust, secure, and capable of withstanding ICT-related disruptions.