Digital Operational Resilience: requirements expand for EU financial services firms

'DORA' establishes extensive and broader requirements for the management of ICT risk and third-party ICT risk by in-scope financial services firms in the European Union. It also establishes, for the first time, a regime for the direct oversight of certain 'critical' ICT providers in the EU financial services sector. Charlotte Hill and Clare Reynolds explore what the new requirements mean for in-scope firms and how they can start preparing ahead of DORA's application in January 2025.

Charlotte Hillis a partner and head of the Financial Services Regulatory group at Taylor Wessing in London, whereClare Reynoldsis senior counsel. Contact them on c.hill@taylorwessing.com and c.reynolds@taylorwessing.com.

Consolidating and updating ICT risk and resiliency requirements across the EU

On 14 December 2022, the long-awaited regulation on digital operational resilience for the financial sector, known as 'DORA', was published in the EU Official Journal. DORA introduces a detailed and comprehensive framework on digital operational resilience and management of ICT-risk across EU financial services firms. It consolidates and updates the ICT risk requirements currently addressed across various pieces of EU sectoral legislation and guidelines (and national variations), into a single legislative act addressing digital risk in EU financial services.