The Digital Opera­tional Resilience Act (DORA) aims to establish an EU legal framework on digital opera­tional resilience for the financial sector. The legislative proposal was published by the EU Commission in September 2020 as part of a Digital Finance Package.

The aim of DORA is in particular to harmonize IT security regula­tions in the financial sector across Europe and to strengthen resilience. In the future, the reporting of serious infor­mation and commu­ni­cation technology (ICT) incidents is to be made only to a national authority. Furthermore, DORA now also includes ICT third-party service providers to a greater extent in the regulation.

The intro­duction of DORA will have far-reaching conse­quences for the financial sector. National regula­tions — such as BAIT, MaRisk or the IT Security Act for Critical Infra­structure Protection (KRITIS) — may be replaced or removed. The addressees are credit insti­tu­tions, e‑money insti­tu­tions, payment service providers, crypto custo­dians, auditors, and many more.

The regulation is expected to enter into force in 2022 or later. We will follow the devel­op­ments in this area hand in hand with you and will gladly support you in the imple­men­tation of the regulatory requirements.