The Cyprus Securities and Exchange Commission (CySEC) has outlined key aspects of the implementation of the Digital Operational Resilience Act (DORA), a European regulatory framework designed to enhance the cybersecurity and operational resilience of the financial sector.
Overview of DORA
DORA establishes uniform requirements for managing ICT risks across financial entities in the EU. The framework consists of:
- Digital Operational Resilience Act (EU 2022/2554): A regulation that standardizes digital resilience measures.
- DORA Amending Directive (EU 2022/2556): Updates various EU directives to align with digital resilience objectives.
- Regulatory & Implementing Technical Standards (RTS & ITS): Guidelines issued by the European Supervisory Authorities (ESAs) for ICT risk management.
Scope of Application
DORA applies to a broad range of financial entities, including:
- Traditional financial institutions – banks, investment firms, insurance undertakings, and credit rating agencies.
- Market infrastructure providers – trading venues, central securities depositories, and central counterparties.
- Emerging service providers – crypto-asset service providers, data reporting service providers, and ICT third-party providers.
Key Regulatory Requirements
1. ICT Risk Management
Financial entities must implement a robust ICT risk management framework, ensuring effective governance, risk identification, and mitigation measures.
2. Incident Reporting
Entities are required to establish processes for identifying and reporting ICT-related incidents, including mandatory reporting to CySEC for significant breaches.
3. Operational Resilience Testing
DORA mandates regular resilience testing, including Threat-led Penetration Testing (TLPT) every three years for critical institutions.
4. Third-Party Risk Management
Firms must manage risks related to ICT third-party providers, maintain accountability for outsourced functions, and report on ICT service contracts.
5. Cyber Threat Intelligence Sharing
Entities are encouraged to exchange cybersecurity intelligence to strengthen sector-wide resilience.
6. Oversight of Critical Third-Party Providers
The ESAs will designate critical ICT service providers for enhanced regulatory oversight.
Implementation Timeline
- DORA becomes fully applicable on 17 January 2025.
- The transposition of the DORA Amending Directive into Cyprus law is pending, along with other EU Member States.
For further details, refer to CySEC’s official document on DORA implementation: CySEC DORA Framework.
We recommend that all entities covered by DORA take this opportunity to strengthen their digital and operational resilience. Whether you’re just starting or already advanced, conducting a GAP analysis is a crucial first step in identifying areas for improvement and ensuring compliance.
Our Compliance Team is here to assist you. Feel free to contact us at 25508201 or via email at admin@mnkriskconsulting.com.