THE DORA REGULATION: A STEP TOWARDS A SECURE DIGITAL WORLD
The DORA regulation in short
The regulation aims at different business sectors, including financial services, energy, transport and public services.
Particularly in the banking and finance area, the DORA regulation will have an impact on managers of alternative investment funds (‘’FAIFs’’) and investment management companies (‘’IFS’’) by entailing increased requirements for transparency, reporting and governance.
The rules will also have an impact on platforms that FAIF’s and IFS’s use in connection with communication to the investors in the managed/administered funds. In this connection, communication must be understood broadly and includes e.g. phone calls, emails, social media and websites.
The consequences of the DORA regulation will vary depending on specific circumstances regarding the individual companies, including size, complexity, inherent risks and their business models.
Some of the key requirements of the regulations include:
- Development of a plan for managing IT security risks: Covered companies must develop a plan to identify, assess and manage IT security risks that may affect their critical functions and services.
- This includes policies, technical and organizational controls, requirements for training employees, and detailed technical requirements for systems and tools in the company.
- Procedures for handling serious it security incidents: Companies must have procedures in place to deal with serious IT security incidents, including the steps to avoid, limit and manage the damaging effect.
- Monitoring of IT systems: Companies must monitor their IT systems to detect and respond to security risks in time.
- Communication about security risks: Companies must communicate relevant security risks to relevant stakeholders, including external authorities and customers.
- Regular security tests and evaluations: Companies must conduct regular security tests and evaluations to ensure that their security plans and procedures are up-to-date and effective.
- Reporting of serious IT security incidents: Companies must report serious IT security incidents to relevant national authorities within a short period of time.
Rules on agreements between companies and IT suppliers
The regulation determines certain rules regarding agreements between the covered companies and IT suppliers. This could be, for example, agreements on outsourcing, which in that case will supplement the already applicable rules for certain financial companies in the field of outsourcing and delegation.
Implementation of the regulation
It is important to note that the concrete details of implementation will first be determined in subsequent implementing regulations. In the next 2 years, before the final application date of 17. January 2025, supplementary rules and guidelines will be issued to clarify the regulation. Overall, the DORA regulation is supplemented by 9 regulatory technical standards (also called ‘’RTSs’’), two implementation technical standards (‘’ITSs’’) and 3 guidelines.
Lund Elmer Sandagers comments
The need for regulation is a result of the digital transformation that the EU and the rest of the world are going through. Lund Elmer Sandager takes a positive view of the entry of the DORA regulation and considers the regulation an important step in the direction of increasing IT security in the EU and protecting both companies and their customers against cyber threats.
If you want to know whether you are covered by the DORA regulation or have other questions about IT security, contact our specialist partner, attorney Kim Høibye or attorney Jakub Zakrzewski for professional, competent advice.
You can also stay up-to-date by signing up for our special newsletter for banking and finance here.