EU's Digital Operational Resilience Act applies today

The EU's Digital Operational Resilience Act, or ‘DORA’, which contains new EU rules concerning the provision of information and communication technology (ICT) services to regulated financial institutions, applies from today, 17 January 2025. 

DORA responds to the increasing dependence of the financial sector on technology and on tech companies to deliver financial services, and seeks to ensure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption. To this end, DORA sets digital operational resilience standards for EU regulated financial institutions, requiring them to manage their ICT risks effectively, and will subject critical ICT third-party service providers (ICT CTPs) to a brand new oversight framework. 

ICT CTP designations are expected in Q3 2025, and initial designations are expected to focus on large cloud and other infrastructure providers (and increasingly, artificial intelligence solutions). ICT CTPs which are designated as critical to the EU financial sector will be subject to oversight by the European Supervisory Authorities (ESAs) acting as so-called “Lead Overseers”. This designation will depend on both quantitative and qualitative factors and focuses on the substitutability of the service provision. 

For financial institutions that are used to operating within the ambit of the EU’s existing outsourcing rules, DORA is unlikely to require fundamental changes to existing processes, controls and arrangements, although regulators will now have renewed focus on this topic. For technology providers designated as CTPs however, the changes are likely to be more significant, as firms adapt for the first time to direct supervision by EU financial services regulators. It remains to be seen how active the oversight by the Lead Overseers will be and whether DORA will have the same level of impact as the EU's Digital Services Act and Digital Markets Act.

We wrote about DORA in more detail, and how its provisions compare with equivalent UK regulation, as part of this year's Horizon Scanning series (link).