DORA implementation challenges
From 17 January 2025, the Digital Operational Resilience Regulation (EU) 2022/2554 (DORA) comes into effect and institutions have until this date to reflect the new rules in their practices. The DORA Regulation was published in the Official Journal of the European Union on 27 December 2022 and entered into force on 16 January 2023. The current text of the DORA Regulation is further followed up with more detailed rules by draft European implementing legislation, which was published as part of a public consultation of the European Supervisory Authorities and has been developed in two time-separated packages.
DORA is a major harmonisation initiative that will significantly impact both the standards of cybersecurity of institutions in the European Union (EU) financial sector and the supervisory performance of national and European supervisors in this area. At the same time, it introduces direct supervision of critical IT service providers.
The main objective of DORA is to increase the digital resilience of the EU financial market by harmonising requirements for institutions and supervisors. In addition to setting up procedures to mitigate the impact of cyber incidents and events, the regulation also aims to prevent them. The primary focus of DORA is therefore the operational and digital resilience of EU financial market institutions, including its testing. DORA reflects the current importance of information technology in the financial sector, where it is not limited to a procedural framework for cyber risk management, but also introduces a systematic approach to digital resilience testing, responds to the growing concentration of IT services, including the increasing reliance on third party services, and significantly reflects the need for cooperation and information exchange at national and European level.
This paper focuses on the main challenges that have and will accompany the implementation of DORA in regulated institutions, highlighting some of the changes in the requirements imposed on institutions and in the tools used by supervisors. In this context, the presentation touches upon the undeniable benefits, but also the potential pitfalls of the new regulation. An essential prerequisite for coping with the challenges associated with the implementation of DORA is the readiness to change the approach to cybersecurity across the organisation, starting with the management of companies. The paper also places DORA in the context of other related European legislative initiatives, particularly in relation to the Network and Information Security 2 (NIS2) Directive.
The approach proposed in DORA can be a very good inspiration not only for entities covered by the regulation but also for ICT process improvement practitioners outside the financial sector.
Martin Fleischmann
Martin Fleischmann has worked in the supervisory sections of the Czech National Bank since 1998. He has significantly contributed to the design, implementation and development of supervision in the area of IS/ICT, operational risks and risks associated with outsourcing. Since 2017, he has been the Director of the Financial Market Control Division III in the Financial Market Supervision Section and is responsible for the implementation of supervision in the area of operational risk management, IS/ICT risk management and prevention of money laundering and terrorist financing. He is a member of the AML Standing Committee (AMLSC) and the Subgroup on ICT risk supervision (SGIT) of the European Banking Authority (EBA). Martin is a graduate of the University of Economics in Prague. In 2010 he completed his PhD studies at the Faculty of Informatics and Statistics of the same school in the field of Applied Infomatics.