Beginning 17 January 2025, the Digital Operational Resilience Act (DORA) will apply to almost all EU financial entities, including banks, insurers and reinsurers, brokers , payment and electronic money institutions, investment firms, and crypto-asset service providers.
DORA requires in-scope organizations to comply with common rules and standards for the management of information and communication technology (ICT) risk, which relates broadly to risks arising in relation to the use of network and information systems.
Key pillars of DORA relate to:
For in-scope financial entities, DORA’s impact goes far beyond the information security, IT or cybersecurity teams of financial institutions. It imposes requirements relating not only to security measures, but also to agreements with service providers, internal governance, and numerous other processes and policies. It also directly impacts management, which must now receive cyber training, and approve and oversee the ICT risk management framework (for more information, see EU Cyber Legislation Puts Emphasis on Board Responsibility).
DORA also applies directly to “critical” ICT service providers that will be designated by European Supervisory Authorities (ESAs). Furthermore, DORA applies indirectly to all ICT service providers providing services to financial entities within the scope of DORA.
Organizations within the scope of DORA are required to ensure their contracts with ICT service providers include the contractual provisions in Article 30(2) DORA. Financial entities are required to impose additional contractual requirements in Article 30(3) DORA on ICT service providers that support a “critical or important” function of that financial entity.
Practically, many financial entities have already been updating their templates and their existing contracts with ICT service providers by negotiating DORA amendments to ensure their contracts meet the DORA requirements. Financial entities that have been required to comply with the outsourcing guidelines published by the European Banking Authority (EBA), European Insurance and Occupational Pensions Authority (EIOPA), or European Securities and Markets Authority (ESMA) may face fewer changes to their contracting processes. For other financial entities, ensuring compliance with DORA may represent a significant change to their ICT risk management, including their contracting and compliance processes.
Although many service providers who regularly deal with financial entities have prepared their standard DORA amendments, these may not always fully satisfy DORA or other regulatory requirements of in-scope financial entities. Conversely, service providers that wish to facilitate easier onboarding of new financial entities as clients may want to prepare a robust DORA Addendum and FAQ document, to help financial entities understand how the contract with the service provider (if on the service provider’s standard terms) complies with the DORA contractual requirements.
Organizations that face updating a large number of contracts have been adopting a strategic approach by prioritizing contracts that may present key risk to the financial entity.
In the future, we are likely to see DORA standard contractual clauses developed by regulators to facilitate contracting between financial entities and service providers. However, unlike in the data protection context for international transfers of personal data, the use of such standard contractual clauses is not expected to be mandatory.
DORA is supplemented by a number of binding Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS):
The following standards are in force:
The following standard have been adopted by the European Commission, but are not yet in force:
The following standards are awaiting adoption by the European Commission:
While not all of the RTS and ITS are in force yet, financial entities and ICT service providers have been using the versions published by the European Commission and ESAs to align their contracts and processes, to ensure they satisfy the applicable requirements without having to go through another re-papering exercise when all of the RTS and ITS officially take effect.
The German Financial Supervisory Authority (BaFin) provides guidance on the implementation of DORA on its DORA website (in German only).
BaFin has issued a non-binding Supervisory Notice on the implementation of DORA in ICT risk management and ICT third-party risk management. It considers BaFin guidance that existed prior to DORA (the circulars Banking Supervisory Requirements for IT (BAIT) and Insurance Supervisory Requirements for IT (VAIT)), and compares and contrasts DORA and subsequent guidance to help financial entities fill the gaps. This new BaFin guidance may also be helpful for capital management companies and payment and e-money institutions, given that the BaFin guidance applying to these institutions (circulars KAIT and ZAIT, respectively) had similar requirements to the key circulars on which the Supervisory Notice is focused (BAIT and VAIT).
To avoid duplicate regulation, BaFin has rescinded its circulars KAIT, VAIT and ZAIT, effective 16 January 2025. BAIT, in turn, will only continue to apply to financial institutions that are not subject to DORA, and will be completely repealed on 31 December 2026, when such institutions must comply with DORA by virtue of German law.
Certain aspects of DORA were complemented in Germany by the Financial Market Digitization Act, which also complements the Markets in Crypto-Assets Regulation and the revised Transfer of Funds Regulation. (For more information, see German Parliament Passes Act on the Digitalization of Financial Markets.)
Post-Brexit, the European Union’s key legislative measures on strengthening cybersecurity and digital operational resilience – DORA, NIS2 and the Cyber Resilience Act (read our Legal Update for more details) – are not directly applicable in the United Kingdom.
However, the United Kingdom has also worked towards strengthening operational resilience in the UK financial services sector:
EU subsidiaries of global financial entities will be directly subject to DORA. In addition, DORA may have indirect impact on non-EU subsidiaries of global organizations, depending on how the procurement of key data and digital services is organized – for example, due to DORA contracting requirements flowing down the supply chain.
For more information, please contact the authors or other members of our global interdisciplinary team, who have been advising both financial entities and service providers on DORA applicability and compliance.
Mayer Brown is a global legal services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown Hong Kong LLP (a Hong Kong limited liability partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) (collectively, the “Mayer Brown Practices”). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC (“PKWN”) is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. More information about the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website.
“Mayer Brown” and the Mayer Brown logo are the trademarks of Mayer Brown.
Attorney Advertising. Prior results do not guarantee a similar outcome.