The Autumn and Final Countdown for DORA Have Kicked Off

The surge of new cybersecurity and data legislation in the EU is sure to keep companies busy digesting upcoming regulatory requirements and reviewing existing compliance measures. To name a few, this autumn marks the one-year countdown to the application of the Data Act, a few months until the first provisions of the AI Act kick in, and mere days until the NIS2 Directive should be implemented in EU member states. However, for the financial sector, the most significant regulatory development in this area is the EU’s Digital Operational Resilience Act, more commonly known as DORA.

DORA (i.e., Regulation 2022/2554 on digital operational resilience for the financial sector) aims to support financial entities’ ability to defend against and respond to cyber threats. The key driver for DORA is the financial sector’s particular vulnerability to systemic cyber threats and ICT disruptions, with relevant cybersecurity requirements having so far been relatively scattered across legislation and standards. Consequently, DORA aims to consolidate previously fragmented, and even inconsistent, rules into a single regulation. DORA has been in force since early 2023 but will apply as of 17 January 2025. As an EU regulation, DORA will be directly applicable in EU member states, poised to shift cybersecurity standards in the European financial sector.

DORA at a glance

DORA’s provisions are divided into five distinct areas, namely:

  • ICT risk management,
  • incident management,
  • testing,
  • ICT service provider requirements, and
  • information sharing.

These so-called five pillars of DORA are further demonstrated in the picture below:

DORA applies to a broad range of financial entities, such as banks, investment firms and payment service providers, and essentially covers all entities supervised by the Finnish Financial Supervisory Authority (FIN-FSA)1 . Given that the requirements under DORA correspond to many pre-existing obligations, especially banks and other significant financial entities are well-positioned to adopt DORA’s obligations. For instance, while DORA imposes a new statutory obligation for threat-led penetration testing (so-called TLPT), such testing has already been applied by many in-scope financial entities based on existing financial regulation and standards (such as the TIBER-FI framework coordinated by the Bank of Finland).

Moreover, DORA will not introduce any significant changes to the current supervisory and sanction framework in the Finnish financial sector. The FIN-FSA will act as the supervisory authority also for DORA, and the FIN-FSA’s existing corrective measures and administrative fines will be extended to breaches of DORA.

Avoidance of duplicated obligations

An inherent feature of DORA is its similarity to respective obligations under other cybersecurity laws. In particular, the strict reporting obligations and security requirements under DORA have evident overlaps with corresponding requirements under the so-called NIS2 (2022/2555), CER (2022/2557) and PSD2 (2015/2366) directives. Fortunately, to avoid unnecessary regulatory burden, there are specific provisions, according to which DORA’s risk management and incident reporting obligations will generally supersede corresponding requirements under the NIS2 and CER directives. To the same effect, major incident reporting obligations under PSD2 and the respective provisions of the Finnish Payment Institutions Act (297/2010) are being replaced by DORA’s reporting requirements. In addition, the FIN-FSA’s current guidelines on, for example, outsourcing, risk management and reporting are also to be updated later in autumn 2024 in order to eliminate duplicated obligations with DORA.

Supporting developments

DORA’s essential requirements and concepts are heavily dependent on supporting legal acts. These include, especially, the so-called implementing and delegated acts for DORA, which are adopted by the European Commission and are generally based on certain European supervisory authorities’ (EBA, EIOPA and ESMA) draft regulatory or implementing technical standards (RTSs/ITSs). These acts provide important details and criteria for applying the ICT risk management tools, methods, processes and policies introduced by DORA.

DORA also requires certain legislative changes on the national level. The relevant government proposal was submitted to the Finnish Parliament in June 2024, and has just recently been endorsed by the Parliament’s Commerce Committee. In practice, this means that the contents of the upcoming national law are now essentially fixed. The legislative change will align national law with DORA, and its key contents relate to the FIN-FSA’s updated tasks and supervisory competences with respect to DORA. According to the government proposal, the FIN-FSA will also be responsible for threat-led penetration testing at the national level. However, this would not affect the Bank of Finland’s responsibility for maintaining the TIBER-FI penetration testing framework, which will continue to serve as a tool for threat-led penetration testing also under DORA.

Despite these supporting legal developments, DORA has raised various questions to be resolved and addressed, ultimately by relevant authority guidance. On the national level, the FIN-FSA held a Q&A session on DORA in September and has recently published a Q&A presentation based on the questions received. However, the FIN-FSA has refrained from providing detailed responses to relatively many questions at this stage.

Timeline ahead

DORA entered into force on 16 January 2023 and will apply as of 17 January 2025. Therefore, this autumn will involve continued DORA developments, including the adoption of further regulatory and implementing technical standards by the European Commission as well as updates to related guidance by the FIN-FSA.

A key aspect of DORA is also the pragmatic interaction between DORA and EU’s upcoming data and fintech regulation. In particular, FiDA (i.e., the proposal on a framework for Financial Data Access) and PSD3 (i.e., the proposal for a directive on payment services and electronic money services) would directly refer to and leverage DORA’s cybersecurity requirements in their provisions. Accordingly, DORA obligations will be repeated and amplified also through these related legislative developments.

 

1A notable exception is that DORA will not apply to Finnish employee pension companies.

More by the same author

eIDAS2.0 Has Arrived – What is an EUDI Wallet?

The awaited eIDAS Regulation (EU) 1183/2024, known as eIDAS2.0, introduces new comprehensive rules aimed at facilitating a secure and seamless Europe-wide digital identity framework by amending the first eIDAS Regulation (EU) 910/2014. As the most notable change, eIDAS2.0 introduces a new EU Digital Identity Wallet (EUDI Wallet), meaning an electronic authentication application that must be interoperable throughout the EU. In function, the application will be similar to ordinary wallets, especially when looking at what types of data is stored in it. The Regulation entered into force on 20 May 2024 and the European Commission is due to adopt technical implementing acts in November 2024, after which the Member States have 24 months to implement at least one EUDI Wallet.

Implementing the Data Act without Clashing with the GDPR?

The Data Act will largely apply as of 12 September 2025, imposing new obligations and rights in relation to personal and non-personal data in the context of, e.g., connected products and related services. As rules governing data expand, it is increasingly important to map what data sets are processed by an organisation and how they are managed in the upcoming regulatory framework. For data sets including personal data (which is often the case!), it is vital to align the implementation of the Data Act with existing GDPR compliance.

Ready or Not, Here Comes the AI Act!

D&I’s summary of the changes coming your way The European Parliament has approved the Artificial Intelligence Act on 13 March 2024. The AI Act is a huge step forward in creating a legal framework for AI technology throughout the European Union. It brings about substantial new obligations for both the developers and users of artificial intelligence (or, using the terminology of the Act itself, the providers, importers, deployers, authorised representatives and other parties listed in the Act). However, although the categorisation does cut a few corners, the AI Act can be seen as a type of “product safety” legislation. As such, it leaves a wide range of topics to be dealt with in other EU and/or national laws, or by the parties involved in a specific transaction.

Latest insights

The Ministry of Finance Proposes a New Tax Credit for Large Industrial Investments

Article / 7 Oct 2024
Reading time 2 minutes

Q&A: Exploring the Future of Legal Work with AI

Article / 1 Oct 2024
Reading time 2 minutes