The surge of new cybersecurity and data legislation in the EU is sure to keep companies busy digesting upcoming regulatory requirements and reviewing existing compliance measures. To name a few, this autumn marks the one-year countdown to the application of the Data Act, a few months until the first provisions of the AI Act kick in, and mere days until the NIS2 Directive should be implemented in EU member states. However, for the financial sector, the most significant regulatory development in this area is the EU’s Digital Operational Resilience Act, more commonly known as DORA.
DORA (i.e., Regulation 2022/2554 on digital operational resilience for the financial sector) aims to support financial entities’ ability to defend against and respond to cyber threats. The key driver for DORA is the financial sector’s particular vulnerability to systemic cyber threats and ICT disruptions, with relevant cybersecurity requirements having so far been relatively scattered across legislation and standards. Consequently, DORA aims to consolidate previously fragmented, and even inconsistent, rules into a single regulation. DORA has been in force since early 2023 but will apply as of 17 January 2025. As an EU regulation, DORA will be directly applicable in EU member states, poised to shift cybersecurity standards in the European financial sector.
DORA at a glance
DORA’s provisions are divided into five distinct areas, namely:
- ICT risk management,
- incident management,
- testing,
- ICT service provider requirements, and
- information sharing.
These so-called five pillars of DORA are further demonstrated in the picture below:
DORA applies to a broad range of financial entities, such as banks, investment firms and payment service providers, and essentially covers all entities supervised by the Finnish Financial Supervisory Authority (FIN-FSA)1 . Given that the requirements under DORA correspond to many pre-existing obligations, especially banks and other significant financial entities are well-positioned to adopt DORA’s obligations. For instance, while DORA imposes a new statutory obligation for threat-led penetration testing (so-called TLPT), such testing has already been applied by many in-scope financial entities based on existing financial regulation and standards (such as the TIBER-FI framework coordinated by the Bank of Finland).
Moreover, DORA will not introduce any significant changes to the current supervisory and sanction framework in the Finnish financial sector. The FIN-FSA will act as the supervisory authority also for DORA, and the FIN-FSA’s existing corrective measures and administrative fines will be extended to breaches of DORA.
Avoidance of duplicated obligations
An inherent feature of DORA is its similarity to respective obligations under other cybersecurity laws. In particular, the strict reporting obligations and security requirements under DORA have evident overlaps with corresponding requirements under the so-called NIS2 (2022/2555), CER (2022/2557) and PSD2 (2015/2366) directives. Fortunately, to avoid unnecessary regulatory burden, there are specific provisions, according to which DORA’s risk management and incident reporting obligations will generally supersede corresponding requirements under the NIS2 and CER directives. To the same effect, major incident reporting obligations under PSD2 and the respective provisions of the Finnish Payment Institutions Act (297/2010) are being replaced by DORA’s reporting requirements. In addition, the FIN-FSA’s current guidelines on, for example, outsourcing, risk management and reporting are also to be updated later in autumn 2024 in order to eliminate duplicated obligations with DORA.
Supporting developments
DORA’s essential requirements and concepts are heavily dependent on supporting legal acts. These include, especially, the so-called implementing and delegated acts for DORA, which are adopted by the European Commission and are generally based on certain European supervisory authorities’ (EBA, EIOPA and ESMA) draft regulatory or implementing technical standards (RTSs/ITSs). These acts provide important details and criteria for applying the ICT risk management tools, methods, processes and policies introduced by DORA.
DORA also requires certain legislative changes on the national level. The relevant government proposal was submitted to the Finnish Parliament in June 2024, and has just recently been endorsed by the Parliament’s Commerce Committee. In practice, this means that the contents of the upcoming national law are now essentially fixed. The legislative change will align national law with DORA, and its key contents relate to the FIN-FSA’s updated tasks and supervisory competences with respect to DORA. According to the government proposal, the FIN-FSA will also be responsible for threat-led penetration testing at the national level. However, this would not affect the Bank of Finland’s responsibility for maintaining the TIBER-FI penetration testing framework, which will continue to serve as a tool for threat-led penetration testing also under DORA.
Despite these supporting legal developments, DORA has raised various questions to be resolved and addressed, ultimately by relevant authority guidance. On the national level, the FIN-FSA held a Q&A session on DORA in September and has recently published a Q&A presentation based on the questions received. However, the FIN-FSA has refrained from providing detailed responses to relatively many questions at this stage.
Timeline ahead
DORA entered into force on 16 January 2023 and will apply as of 17 January 2025. Therefore, this autumn will involve continued DORA developments, including the adoption of further regulatory and implementing technical standards by the European Commission as well as updates to related guidance by the FIN-FSA.
A key aspect of DORA is also the pragmatic interaction between DORA and EU’s upcoming data and fintech regulation. In particular, FiDA (i.e., the proposal on a framework for Financial Data Access) and PSD3 (i.e., the proposal for a directive on payment services and electronic money services) would directly refer to and leverage DORA’s cybersecurity requirements in their provisions. Accordingly, DORA obligations will be repeated and amplified also through these related legislative developments.
1A notable exception is that DORA will not apply to Finnish employee pension companies.