The EU Regulation on Digital Operational Resilience for the Financial Sector: Applicability & Compliance Guidance for ICT Service Providers

Abstract

The European Union (‘EU’) Regulation on Digital Operational Resilience for the Financial Sector EU 2022/2554 (‘DORA’), the new cybersecurity framework for the entire financial sector of EU along with its extensive Information and Communication Technology (‘ICT’) supply chain systems, has come into effect from January 17, 2025. This article will assess the applicability and impact of the DORA regulations for ICT third-party supply chain vendors (with special emphasis on applicability and compliance for IT vendors and cloud service providers) of EU based financial institutions. It will specifically cover the following key areas: a. Applicability of DORA to third party ICT third party services providers (including IT vendors and cloud service providers) of the financial sector; b. Key compliances under DORA for ICT third party service providers; c. Steps for translating DORA requirements into enforceable contractual requirements for ICT third party service providers; d. Risks/penalties for non-compliance; and e. Recent regulatory developments related to DORA compliance.