DORA Regulation (Digital Operational Resilience Act)

The DORA Regulation (Digital Operational Resilience Act), which will come into effect on January 17, 2025, aims to strengthen the digital operational resilience of financial entities within the European Union. Although DORA does not specifically address market abuse, it imposes new obligations on financial firms regarding the management of risks related to information and communication technologies (ICT), which may indirectly contribute to preventing such abuses.

The main obligations introduced by DORA for financial firms are as follows:

1. Establishment of an ICT Risk Management Framework :

Firms must implement processes and procedures to assess and manage ICT-related risks, including threat analysis, impact tolerance definitions, and the development of a risk appetite framework. This also involves implementing technical and organizational measures for ICT and cyber risk prevention and protection, along with proactive monitoring and early anomaly detection.

2. ICT Incident Management and Reportin :

Financial entities are required to monitor, manage, and record ICT-related incidents. They must classify incidents based on their severity and report significant ones to the relevant authorities. This transparency aims to enhance market confidence.

3. Digital Operational Resilience Testing :

Firms must conduct regular tests to evaluate their digital resilience. This includes basic testing for all financial entities and advanced testing, such as penetration tests, for significant financial entities. A comprehensive program for digital operational resilience testing must be established, covering cybersecurity aspects and aligning with the TIBER-EU framework.

4. Management of ICT Third-Party Service Provider Risks :

Firms must revise contracts with ICT service providers to include uniform minimum clauses. They are also required to adopt a strategy for monitoring and managing risks associated with these providers and maintain an updated register containing details of all agreements with them.

5. Cybersecurity Information Sharing :

DORA encourages the voluntary sharing of operational information on cyber threats and vulnerabilities among financial sector actors to enhance collective resilience.

By bolstering digital operational resilience, DORA contributes to the stability of the financial system, which can indirectly help prevent market abuses by ensuring the continuity and reliability of financial operations. Affected firms must prepare to meet these new requirements by January 2025 to ensure compliance.