Starting January 17, 2025, the Digital Operational Resilience Act (DORA) will require financial entities and their critical information and communication technology (ICT) service providers to comply with enhanced cybersecurity risk management measures. Its goal is to protect the financial sector from ICT disruptions and a new generation of cyber threats.
Scope. DORA applies to financial entities in the EU, such as banks, crypto-providers, trading venues and insurers, and their designated critical ICT service providers. Providers, regardless of their location, must establish a subsidiary in the EU if designated as critical by the European Supervisory Authorities (ESAs), with the first designations expected in the second half of 2025.
Key requirements. This EU regulation introduces comprehensive ICT risk management frameworks, including incident reporting (within four hours), resilience testing, third-party risk management, and threat monitoring. Financial entities must also conclude mandatory contract terms with all their ICT service providers (e.g., SaaS, security, data analysis, communication services) to implement these frameworks. As a result, DORA will affect many organizations servicing financial entities, regardless of their location. A brief overview of the DORA incident reporting timelines (together with those under NIS2 and the Cyber Resilience Act):
Penalties. Non-compliance can result in significant penalties, with national authorities empowered to enforce through inspections, administrative fines varying by country (e.g., up to EUR 5 million or 10 percent of total annual turnover), suspending managerial positions, and criminal sanctions.
Next steps. To prepare, financial companies should review their ICT risk management and incident reporting processes, ensure contracts with ICT providers meet DORA standards, and familiarize themselves with these requirements. Service providers should prepare for customer inquiries and contract amendments.
To learn more about DORA, consult the recording (here) and materials (here) of our most recent webinar in our DORA series. Clients can also sign up to attend our upcoming webinar in the DORA series on January 29, 2025, which will focus on the use of critical ICT service providers, here.
Wilson Sonsini clients who believe they may be experiencing any kind of cybersecurity incident anywhere in the world can contact our experts 24/7 at our incident response hotline, which can be reached at either 32-2-2745777 or 1-650-849-3030.
Wilson Sonsini routinely advises clients on privacy and cybersecurity issues. For further inquiries about the EU’s cybersecurity regulations, please contact Cédric Burton, Nikolaos Theodorakis, Laura Brodahl, or any attorney from Wilson Sonsini’s EU data, privacy, and cybersecurity practice.
