DORA’s main provisions and their impact on CASPs

written by Efi Thoma, Lawyer, LL.B. | LL.M. | IMES

The Digital Operational Resilience Act (DORA) is part of the European Union's broader effort to ensure a safe and resilient digital financial ecosystem. DORA applies to a wide range of financial institutions, including banks, insurers, investment firms, and CASPs (Crypto-Asset Service Providers) which are directly related to the rapidly growing sector of crypto-assets.

DORA is a key regulatory framework adopted by the European Union (EU) to enhance the operational resilience of financial institutions and markets, particularly in the face of increasing reliance on information technology (IT) systems and digital tools. The EU Regulation, which was introduced as part of the EU's Digital Finance Package, aims to ensure that financial institutions can withstand and recover from a variety of disruptions, including cyber attacks, system failures, and other digital operational risks.

DORA applies to a broad range of financial entities, including:

  • Banks, investment firms, and insurance companies;
  • Payment service providers, clearing houses, and trade repositories;
  • Critical third-party providers, such as cloud service providers (CSPs), IT outsourcing firms, and data centers.

What exactly are DORA’s provisions?

  • ICT Risk Management: Financial institutions must have robust risk management processes in place for Information and Communication Technology (ICT) risks. This includes the identification of critical systems, implementing risk mitigation strategies, and ensuring business continuity in the event of an ICT failure.
  • Incident Reporting: DORA requires financial institutions to report major ICT-related incidents to the relevant authorities within strict timeframes. The regulation establishes clear guidelines for the reporting process to ensure transparency and swift response.
  • Third-Party Risk Management: Financial institutions are required to manage and monitor the risks associated with third-party service providers, especially those providing critical services like cloud computing, data management, and other IT outsourcing. Financial firms need to ensure that their third-party relationships do not introduce vulnerabilities to their operations.
  • Testing and Resilience Planning: Firms must regularly test their operational resilience through processes like penetration testing, simulation exercises, and stress tests. This is to ensure they can recover quickly from disruptions.
  • Outsourcing: DORA sets out specific requirements for outsourcing arrangements to critical third-party providers. Financial institutions are required to ensure that such arrangements are resilient and that third parties comply with the same operational resilience standards as the institutions themselves.
  • Supervision and Compliance: Regulatory authorities will oversee and enforce DORA compliance. The European Supervisory Authorities (ESAs), including the European Central Bank (ECB) and national regulators, will work together to supervise financial entities under DORA.

Why is DORA important? It is a significant legal act as it safeguards the following:

  • Cyber Security Threats: With the increasing threat of cyber attacks on the financial sector, DORA is a vital EU Regulation to mitigate risks associated with cyber threats and protect sensitive financial data.
  • Operational Continuity: DORA ensures that financial services can continue operating during crises or disruptions, safeguarding financial stability and customer trust.
  • Consistency across EU: The Regulation provides a unified approach to operational resilience across EU member states, ensuring consistent standards and supervision.

The European Union has also recognized the need to regulate the rapidly expanding sector of crypto-assets, which includes digital currencies, tokens, and other decentralized financial products. CASPs include exchanges, wallets, trading platforms, and custodial services, and they are now subject to specific EU regulations, including the MiCAR (Markets in Crypto-Assets) Regulation. As crypto-assets gain popularity, protecting consumers from fraud, scams, and volatile markets becomes critical. MiCAR and related legal acts aim to ensure that CASPs operate in a transparent and trustworthy manner. By establishing clear rules and promoting market integrity, the EU aims to support innovation in the crypto sector while ensuring fair competition and avoiding regulatory fragmentation across EU  Member States.

DORA impacts CASPs, as follows:

  • Third-Party Service Providers for CASPs: If a CASP relies on third-party services, including cloud providers or technology vendors, they must ensure that their IT systems are resilient and comply with DORA’s operational resilience standards. This is particularly important for maintaining the availability and integrity of crypto services.
  • Cyber Security and Risk Management: DORA emphasizes on robust risk management practices, particularly regarding cyber security. CASPs, like other financial institutions, need to manage the risks associated with cyber threats, data breaches, and other digital disruptions, which are central to DORA’s objectives.
  • Incident Reporting: DORA requires timely reporting of significant incidents, ensuring that competent regulators are alerted to any disruptions that may affect market integrity or consumer protection.

In essence, DORA is a critical component of the EU's digital finance landscape. It ensures the operational resilience of financial institutions by addressing ICT risks, while MiCAR Regulation focus on regulating the rapidly growing crypto sector, predominantly CASPs, while ensuring consumer protection, financial stability, and market integrity. As the financial ecosystem becomes more digitized and interconnected, both EU Regulations play a crucial role in maintaining a secure, transparent, and resilient market environment.

Efi Thoma is a member of Cyprus & Greece Bar Associations & holder of Advanced CySEC Certificate (contact details: ethoma@legalexpertscy.com)

 

Comments

Post a Comment

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Consumer credit agreements: In the event of failure to comply with the obligation to provide information, a bank may be deprived of its right to interest

Image
The Court of Justice in its Judgment in Case C-472/23 (Lexitor) regarding the consumer credit agreements, ruled that, in the event of failure to comply with the obligation to provide information, a bank may be deprived of its right to interest.  This may be the case even where the individual seriousness of the infringement of that obligation and its consequences for the consumer are likely to vary from case to case. Lexitor is a Polish debt collection agency to which a consumer assigned rights arising from a credit agreement concluded with a bank. That company claims that the bank failed to fulfil its obligation to provide information to the consumer when the agreement was concluded. It brought an action before a Polish court seeking payment from the bank of a sum of money corresponding to the interest and charges paid by that consumer.  In supports of its claim, Lexitor submits, first, that the annual percentage rate of charge (APRC [1]) was overstated; in its view, one of th...
Read more

ECtHR elects a new Vice-President of the Court and two new Section Presidents

Image
The European Court of Human Rights has elected on 23.9.2024 a new Vice-President of the Court – Judge Ivana Jelić (elected in respect of Montenegro). She will take up her duties on 1 November 2024.  The Court has also elected at the same date two new Section Presidents – Judges Lado Chanturia (elected in respect of Georgia) and Ioannis Ktistakis (elected in respect of Greece). They will also take up their duties on 1 November 2024. Ivana Jelić was born on 17 March 1975 in Podgorica, Montenegro and was elected Judge of the European Court of Human Rights on 12 July 2018. Lado Chanturia was born on 14 April 1963 in Tsalenjikha, Georgia, was elected Judge of the European Court of Human Rights on 8 January 2018 and is Vice-President of Section since 18 May 2023. Ioannis Ktistakis was born on 3 January 1971 in Thebes, Greece and was elected Judge of the European Court of Human Rights on 8 March 2021. (source/photo: echr.coe.int) Read more here
Read more

Following the tragic death of lawyer Ebru Timtik, the CCBE calls on the EU and Turkish authorities to take urgent measures to prevent the death of lawyer Aytaç Ünsal

Image
The Council of Bars and Law Societies of Europe (CCBE) is deeply shocked by the death of Turkish lawyer Ebru Timtik on 27 August after a 238 days hunger strike. Lawyers Ebru Timtik and Aytaç Ünsal, respectively sentenced to 13 and 6 months and 11 years and 6 months in prison, decided to go on an unlimited hunger strike to denounce their unfair trial as well as the unfair trial of several dozens of Turkish lawyers. ( Read more here ) Since 2017, several Turkish lawyers belonging to the Progressive Lawyers Association and the People's Law Office, among which Ebru Timtik and Aytaç Ünsal, have been victims of judicial harassment. These lawyers who have fought for Justice and the Rule of Law have defended, among others, persons considered to be opponents of the Turkish government, families of miners massacred in Soma and Ermenek, populations expelled from their homes as victims of urban transformation, families of citizens killed under torture in police stations and prisons as well as...
Read more

Arrest of 48 lawyers, 7 trainee lawyers, 4 purged judges and a law graduate, for being “members of a terrorist organisation” in Turkey: Joint Statement

Image
Through the new “alternative bar associations” legislation and President Erdogan’s own words “Those who act as the lawyers of terrorists may not act like terrorists themselves. If they do so, there must be a price to pay”, which he said in the presence of judges and prosecutors in the new judicial year opening ceremony, the Turkish government had already signaled that a new phase in the persecution of lawyers was about to start. Only a few days after President Erdogan’s speech, today (11 September 2020), the Ankara Chief Public Prosecutor has ordered the arrest of 48 lawyers, 7 trainee lawyers, 4 purged judges and a law graduate, for being “members of a terrorist organisation” According to the report of the state-run Anatolian News Agency, their arrests were sought for no other offence than representing those whom the government considered dissidents and who were accused of being involved in “terrorism”. The arrested lawyers were not to be allowed a conference with anybody and woul...
Read more