Europe's DORA Act Reshapes Financial Tech Regulation

- The Digital Operational Resilience Act (DORA) became fully applicable on January 17, 2025, after entering into force on January 16, 2023, giving financial entities a two-year implementation period. It applies to 20 different types of financial entities, including banks, insurance companies, and investment firms, as well as to the ICT providers that service them. - A core requirement is the creation and maintenance of a "Register of Information" (RoI) at the entity, sub-consolidated, and consolidated levels. This register must document all contractual arrangements with ICT third-party providers, including details on the services provided, risk assessments, and any sub-contracting arrangements. - DORA establishes a mandatory and standardized process for reporting major ICT-related incidents. Financial entities must make an initial notification to competent authorities within four hours of detection, an intermediate report within 72 hours, and a final report within one month. - The act introduces a direct oversight framework for "critical" ICT third-party providers (CTPPs), a new development in financial regulation. The European Supervisory Authorities (ESAs) will designate these CTPPs based on factors like the systemic impact of their potential failure. The ESAs were scheduled to use the submitted Registers of Information to designate the first CTPPs by July 2025. - While the regulation and the DevOps Research and Assessment (DORA) framework share an acronym, they are distinct. The regulation sets legal requirements for resilience, while the engineering metrics (like MTTR and deployment frequency) offer a practical framework for achieving and proving the required levels of operational stability. - Non-compliance can lead to significant penalties. For financial entities, fines can reach up to 2% of their total annual worldwide turnover. Critical third-party providers face penalties of up to 1% of their daily worldwide turnover.