Under the name Digital Operational Resilience Act (DORA), the EU has issued a new regulation to standardize and strengthen the digital operational resilience of the financial sector across the Union. DORA, which was adopted in December 2022, comes into force on 17 January 2025 and must be complied with by the obligated companies from this date. The regulation finds its raison d’être in the now widespread use of information and communication technologies (ICT) in the financial sector as a result of increasing digitalization and networking. DORA is intended to counteract the resulting risks of cyber threats and disruptions. The regulation obliges financial companies and certain ICT service providers to take comprehensive measures to achieve this goal. The term “financial company” covers almost all traditional players in the financial sector, such as credit institutions, investment firms, payment institutions and financial service providers, but also crypto service providers (CASPs) and issuers of asset-referenced tokens. Companies affected are faced with a range of additional legal requirements. As a result, internal processes and procedures must be reviewed and, if necessary, adapted to DORA. As the requirements of DORA are far-reaching, this could represent a considerable burden, especially for smaller companies. It is therefore of particular importance whether DORA provides for exemptions for such companies. So is there any relief for smaller companies?
Same Rules for All? Application to Smaller Companies
One of the guiding principles of DORA is the principle of proportionality. This means that the individual obligations can affect a financial company differently in individual cases depending on its size, overall risk profile, type, scope and complexity of services, activities and transactions. Basically, the requirements increase in proportion to the risk. Accordingly, DORA divides financial companies into micro, small and medium-sized enterprises and all financial companies above them. A microenterprise exists – with some exceptions, such as for trading venues, central counterparties or trade repositories – if the company employs fewer than ten people and its annual turnover or annual balance sheet total does not exceed EUR 2 million. A small enterprise is a financial company that employs between 10 and 50 people and whose annual turnover or annual balance sheet total exceeds EUR 2 million but is only up to EUR 10 million. Medium-sized enterprise employs fewer than 250 people, has an annual turnover of up to EUR 50 million and an annual balance sheet total of up to EUR 24 million. This classification into one of the size categories alone can result in a number of exemptions and simplifications from the requirements of DORA for the corresponding financial companies.
Which Specific Exceptions Could Be Considered?
DORA requires financial companies to implement appropriate ICT risk management. This includes a robust, comprehensive and well-documented ICT risk management framework that enables risks to be quickly identified and remediated. At a minimum, such a framework must include policies, guidelines, procedures, ICT protocols and tools necessary to properly protect all information and ICT assets, including software, hardware and servers. It must also protect all relevant physical components and infrastructure, such as premises, data centers and designated sensitive areas. To manage and monitor ICT risk, financial firms must also establish an independent control function and review and document the ICT risk framework on an annual and ad hoc basis. Micro-enterprises are exempt from this and can dispense with a separate control function. Furthermore, they only have to review and document the ICT risk framework regularly and on an ad hoc basis. This is just one of many exceptions that are in line with the proportionality principle of DORA. It should be examined on a case-by-case basis whether statutory exemptions are applicable. Even without a specific statutory exemption, the extent of the measures that a financial company must undertake can vary considerably depending on the risk profile. Overall, DORA is an extremely complex set of regulations that forces companies in the financial sector to further professionalize their business organization with regard to ICT risks.
Attorney Anton Schröder
The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.
Recent Comments