Blog: Countdown To DORA: The Regulation Applies From 17 January … – Mondaq


Countdown To DORA: The Regulation Applies From 17 January 2025

17 January 2023

Finance Malta

To print this article, all you need is to be registered or login on

On 27 December 2022 Regulation (EU) 2022/2554 of the
European Parliament and of the Council of 14 December 2022 on
digital operational resilience for the financial
1 (the
Regulation” or
DORA“) and Amending Directive (EU)
2022/25562 (the “Amending
“) were published on the Official Journal of
the EU and will enter into force on 16 January 2023. The Regulation
will apply from 17 January 2025. Member States are required to
adopt the measures necessary to comply with the Amending Directive
also by 17 January 2025.

DORA represents the EU’s response to the ever-increasing
number of cyberattacks against financial institutions. It’s
designed to strengthen the security of EU financial firms (the
umbrella term “financial entities” is used), such as
banks, insurance companies, payment and e-money institutions,
investment firms, and more by imposing resilience requirements and
regulating the supply chain. It is designed to ensure the services
they provide are not disrupted by cyberattacks, outages or other
risks to the integrity and continuity of those services.

DORA harmonises and consolidates key elements of existing
digital resilience frameworks and standards within the
EU3 but it also introduces new requirements. Financial
entities tend to outsource much of their IT and deal with complex
architectures. It is also for this reason that DORA applies also to
third party service providers of ICT services and impacts the
contracts financial entities agree with those providers. The
sharpened focus on third-party risk management is evident
throughout DORA. The new regulation also brings into scope
providers of critical information to the financial services sector
such as credit rating, critical benchmarking and data reporting
services as well as financial market infrastructure providers such
as central securities depositories, central counterparties and
trading venues.

Broadly, DORA consists of requirements in five main areas:

  • ICT risk management.
  • ICT incident reporting.
  • Digital operational resilience testing.
  • ICT third-party risk management.
  • Information intelligence and sharing.

It is pertinent to note that DORA embraces the principle of
proportionality and, thus, follows the approach found in many other
regulations and in a sense, puts the onus back on the individual
financial entity, to assess and justify the standard and extent of
requirements that it needs to prepare for and eventually

Critical to an efficient implementation of DORA will also be the
awaited raft of Regulatory/Implementing Technical Standards and
Guidelines which will supplement DORA. In Annex 1 to the MFSA
Circular on the publication of DORA issued on the 4 January
2023,4 the MFSA sets out in different delivery deadlines
for the planned work in this regard until the applicability date of
January 2025.

Compliance with DORA is undoubtedly no easy task and can be a
“game changer”. The various entities to whom DORA applies
have a tight two-year preparatory term which should be used to
undertake a gap analysis of their ICT risk management framework,
including reviews of the internal governance structure and ICT risk
and incident management and reporting mechanisms already in place.
Entities should also reassess and renegotiate where necessary their
agreements with third party ICT service providers to make them
compliant with DORA. Entities are also to be prepared for increased
supervisory engagement in this area: when the DORA enters into
force considering that the Regulation provides supervisors with
wider far-ranging mandates and powers. The real consideration for
financial institutions is ultimately how they approach it – a
compliance or “tick the box” exercise or a potential
strategic opportunity.


1. Which amends Regulations (EC) No 1060/2009, (EU) No
648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU)

2. Which amends Directives 2009/65/EC, 2009/138/EC,
2011/61/EU, 2013/36/EU, 2014/59/EU, 2014/65/EU, (EU) 2015/2366 and
(EU) 2016/2341 as regards digital operational resilience for the
financial sector

3. To-date it does not appear that any existing laws or
regulations or guidelines will be repealed, instead these would
exist alongside DORA


The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Finance and Banking from Malta

New PRIIPs Requirements In 2023

KPMG in Cyprus

Many European fund managers have benefited from transition periods since the PRIIPs regulation was first introduced in 2018, but all things come eventually to an end: From 1 January 2023…

EMIR – Update On Recent Regulatory Developments

Dillon Eustace

We highlight below some of the key developments under EMIR which have occurred towards the end of 2022, including the implementation of the remaining aspects of the EMIR Refit proposals.

EMIR: Updating Of Reporting Requirements

Finance Malta

On 7 October 2022, the European Parliament and Council approved a set of Technical Standards[1](the “Technical Standards”) supplementing the European Market Infrastructure Regulation[2] (“EMIR”).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s