DORA regulation comes into effect

Regulation (EU) 2022/2554 on digital operational resilience for the financial sector (known as DORA) comes into effect on 17 January 2025. This regulation establishes a single European legal framework for harmonising processes and standards in the area of the digital resilience of financial institutions using information and communication technology (ICT). DORA builds on existing regulatory requirements in the financial sector, complementing them and broadening the group of obliged entities.    

The regulation applies to a broad spectrum of financial entities, including banks, insurance companies and management companies. Entities affected by the regulation are listed in Article 2 of DORA. In the Czech Republic, this is expected to affect several hundred entities. DORA does not apply to state administration bodies.

DORA introduces duties in areas such as ICT risk management, incident reporting, digital operational resilience testing, and risk management when working with ICT service providers. The Czech National Bank expects entities to comply with their new duties from 17 January onwards and will take the level of their individual preparation into account.

The CNB will monitor compliance with DORA as part of its supervisory work. Breach of the duties may be classified as an offence subject to sanctions pursuant to the draft Act on the Digitalisation of the Financial Market.