THE DORA REGULATION: A STEP TOWARDS A SECURE DIGITAL WORLD

DORA (Digital Operational Resilience Act) is a new EU regulation that aims to improve IT security in the EU. The regulation requires companies to have the plan to manage IT security risks and to report serious IT security incidents. The regulation takes effect on 16 January 2023; in this news, we give you an overview.
News
Banking and Finance

The DORA regulation in short

The regulation aims at different business sectors, including financial services, energy, transport and public services.

Particularly in the banking and finance area, the DORA regulation will have an impact on managers of alternative investment funds (‘’FAIFs’’) and investment management companies (‘’IFS’’) by entailing increased requirements for transparency, reporting and governance.

The rules will also have an impact on platforms that FAIF’s and IFS’s use in connection with communication to the investors in the managed/administered funds. In this connection, communication must be understood broadly and includes e.g. phone calls, emails, social media and websites.

The consequences of the DORA regulation will vary depending on specific circumstances regarding the individual companies, including size, complexity, inherent risks and their business models.

Some of the key requirements of the regulations include:

  • Development of a plan for managing IT security risks: Covered companies must develop a plan to identify, assess and manage IT security risks that may affect their critical functions and services.
    • This includes policies, technical and organizational controls, requirements for training employees, and detailed technical requirements for systems and tools in the company.
  • Procedures for handling serious it security incidents: Companies must have procedures in place to deal with serious IT security incidents, including the steps to avoid, limit and manage the damaging effect.
  • Monitoring of IT systems: Companies must monitor their IT systems to detect and respond to security risks in time.
  • Communication about security risks: Companies must communicate relevant security risks to relevant stakeholders, including external authorities and customers.
  • Regular security tests and evaluations: Companies must conduct regular security tests and evaluations to ensure that their security plans and procedures are up-to-date and effective.
  • Reporting of serious IT security incidents: Companies must report serious IT security incidents to relevant national authorities within a short period of time.

Rules on agreements between companies and IT suppliers

The regulation determines certain rules regarding agreements between the covered companies and IT suppliers. This could be, for example, agreements on outsourcing, which in that case will supplement the already applicable rules for certain financial companies in the field of outsourcing and delegation.

Implementation of the regulation

It is important to note that the concrete details of implementation will first be determined in subsequent implementing regulations. In the next 2 years, before the final application date of 17. January 2025, supplementary rules and guidelines will be issued to clarify the regulation. Overall, the DORA regulation is supplemented by 9 regulatory technical standards (also called ‘’RTSs’’), two implementation technical standards (‘’ITSs’’) and 3 guidelines.

Lund Elmer Sandagers comments

The need for regulation is a result of the digital transformation that the EU and the rest of the world are going through. Lund Elmer Sandager takes a positive view of the entry of the DORA regulation and considers the regulation an important step in the direction of increasing IT security in the EU and protecting both companies and their customers against cyber threats.

If you want to know whether you are covered by the DORA regulation or have other questions about IT security, contact our specialist partner, attorney Kim Høibye or attorney Jakub Zakrzewski for professional, competent advice.

You can also stay up-to-date by signing up for our special newsletter for banking and finance here.

Related employees

Kim is an experienced partner in our Banking and Finance team. He advises both Danish and international clients on all aspects of banking and finance law as well as corporate law.

Kim Høibye

Partner
Attorney
Honas is assistant attorney in the Corporate Commercial team. He advises Danish and international companies on all aspects of banking and finance law.

Honas Kader

Assistant Attorney
Marie is attorney in our Corporate Commercial team. She primarily advises companies on corporate law affairs and financial transactions.

Marie Boyer-Søgaard

Attorney
Kristian is partner in our Litigation and Arbitration team. He primarily advises on corporate law, financing, leasing, and debt collection.

Kristian Ambjørn Buus-Nielsen

Partner
Attorney

Related news

See all news
News

First part of MiCA enters into force and sets the level 2 work of the EU au­thor­it­ies in motion

On 29 June 2023, the first part of the European Parliament and Council Regulation (EU) 2023/1114 on markets for crypto assets (hereinafter MiCA) entered into force. In this update, our banking and finance law specialists take a closer look at the overall distinctions in MiCA. You will also get a summary of the regulation that has now entered into force and the regulation awaiting in 2024 in connection with the remaining parts of MiCA.
Banking and Finance
News

Executive order on foreign UCITS' marketing in Denmark under consultation

On 3 August 2023, the Danish Financial Supervisory Authority disclosed a consultation on the Danish executive order on foreign UCITS’s marketing in Denmark. In this article, you will get an overview of the proposed amendments that may be important to you.
Banking and Finance
News

Political agreement on the AIFM II Directive in the EU

On 24 January 2023, the European Parliament reached a political agreement with the European Commission on the proposed changes to the Directive on Alternative Investment Fund Managers (known as the "AIFM Directive"). The purpose of updating the AIFM Directive ("AIFM II") is to enhance the existing level of investor protection, market efficiency, and supervision of the investment sector in the EU. In this article, Lund Elmer Sandager's banking and finance team examines the political agreement and provides an overview of which of the European Commission's original proposals have been retained and which have been removed from the draft AIFM II directive.
Banking and Finance
News

ESMA guidelines for naming ESG and sustainability-related funds

On 18 November 2022, the European Securities and Markets Authority (ESMA) launched a consultation on new guidelines for naming sustainable funds, specifically funds that use ESG or sustainability-related terms. The consultation concluded in February, and in this update, we will take a closer look at the guidelines as they approach final adoption.
Banking and Finance
News

Resumption of RTS 27 Reporting Obligation

The so-called RTS 27 reports are to be prepared again starting from February 2023. This is due to the temporary suspension of the reporting obligation that the EU had adopted during the COVID-19 pandemic, which is set to expire. In this article, you will get an overview of the RTS 27 reporting obligation and its significance for the entities covered by it, both now and in the future. You will also receive a brief update on the European Commission's work on the proposed amendments to MiFID II.
Banking and Finance
News

Misuse of NemID is ravaging the loan market

We are experiencing more cases of NemID fraud in connection with raising loans. The methods are constantly evolving, and the scammers are becoming more cunning. It places great demands on companies, customers, and lenders if they are to avoid being scammed.
Banking and Finance