bg
Chcę wiedzieć o...
Strona główna
ENG
Regulation on operational digital resilience of the financial sector (DORA)

Regulation on operational digital resilience of the financial sector (DORA)

Dodano: 2022-07-07

The Presidency of the Council of the European Union and the European Parliament have reached a preliminary agreement on the content of DORA (Digital Operational Resilience Act).

DORA aims to create common requirements for the security of the use of information technology (ICT) by financial entities (min. banks and insurers). Current obligations related to this are scattered in various pieces of legislation, are insufficient and need to be harmonized. The Commission presented a proposal including a draft DORA in September 2020. Last December, the first reading of the draft began in the European Parliament.

DORA provides responsibilities for the development of internal procedures and policies for effective internal (i.e. by the financial entity itself) risk management, including ICT audits, data recovery and ICT incident reporting. The regulation also stipulates the obligation to conduct a series of digital resilience tests annually. At the same time, entities are being given a new tool for carrying out their duties – the ability to share incident information with each other.

In addition to internal risk management, DORA emphasizes the management of external risks involving IT service providers – it is to provide requirements for the shape of the parties’ contractual obligations, the standards of protection to be provided by the providers, as well as keeping a record of the contracts entered into and reporting on them to the regulator. Entities will also have to classify whether the activities covered by IT outsourcing are critical to them. Of course, DORA is thus to cover cloud outsourcing as well. DORA will also create a new organizational framework for national and EU regulators.

DORA covers a very wide range of activities of financial entities, because related to IT, which is already partly regulated by various types of recommendations of EU and national supervisory authorities (min. concerning cloud outosourcing), so it remains interesting to see the relationship between all the documents issued. However, it can be assumed that the more an entity already meets the current requirements, the fewer changes it will have to make to comply with DORA, which, however, is based on existing solutions. In the meantime, European regulators are working to develop specific technical standards for security. Only then will it be possible and necessary to verify compliance with them of the solutions already used by financial entities.

Artykuły powiązane

UODO: Numer PESEL nie powinien widnieć w certyfikacie podpisu elektronicznego

Prezes Urzędu Ochrony Danych Osobowych (UODO) zwrócił się do Ministra Cyfryzacji z wnioskiem o zmianę przepisów dotyc...

Blokada strony internetowej przez ABW bezpodstawna – NSA ostatecznie rozstrzyga

Naczelny Sąd Administracyjny (NSA) w wyroku z 26 września 2024 roku (sygn. akt II GSK 2046/23) uznał, że Agencja Bez...

Meta ukarana 91 mln euro za naruszenie RODO.

Irlandzki organ ochrony danych (DPC) nałożył na Metę karę w wysokości 91 milionów euro za naruszenie przepisów RODO zwią...