The Digital Operational Resilience Act (DORA), which will be fully applicable from January 17, 2025, is a comprehensive European Union (EU) regulation aimed at enhancing the resilience of financial entities against Information and Communication Technology (ICT) risks. DORA represents a significant shift in the regulatory landscape for financial institutions in Cyprus, aligning with broader EU efforts to enhance cybersecurity measures and operational resilience.
Where is Dora Applicable?
Credit institutions
Payment institutions
Electronic money institutions (EMIs)
Investment firms
Fund managers
ICT third-party service providers (cloud service providers, data analytics providers etc.)
How is the legal framework in Cyprus impacted by DORA?
Harmonization of ICT Risk Management Across the EU
One of DORA’s primary objectives is to harmonize ICT risk management across the European Union. In Cyprus, this means that financial institutions will need to align their ICT risk management frameworks with EU standards, replacing or updating any national regulations that previously governed digital resilience. DORA consolidates and upgrades existing ICT risk requirements, which were previously addressed in a fragmented manner under various EU and national laws. This harmonization reduces regulatory complexity and ensures a uniform approach to managing cyber threats across the EU financial sector.
Interaction with Existing National Laws and Directives
DORA interacts with other relevant laws, such as the NIS 2 Directive (Network and Information Systems Directive), which also applies to some financial entities in Cyprus. However, DORA is considered lex specialis, meaning that in cases of overlap or conflict between DORA and NIS 2, DORA’s more specific provisions take precedence. This ensures that financial institutions are not subject to conflicting obligations but must still comply with broader cybersecurity requirements under NIS 2.
Strengthened Oversight by National Authorities
Cypriot regulatory bodies, such as the Central Bank of Cyprus (CBC) and the Cyprus Securities and Exchange Commission (CySEC), will play a crucial role in enforcing compliance with DORA. These authorities have already started issuing guidance and circulars urging financial entities to begin implementing the necessary changes to meet DORA’s requirements by January 2025. The national regulators will also be responsible for overseeing third-party ICT providers deemed critical to financial institutions, ensuring that these providers meet stringent cybersecurity standards.
Enhanced Focus on Third-Party Risk Management
DORA introduces comprehensive requirements for managing risks associated with third-party ICT service providers, such as cloud platforms or data analytics services. Financial entities in Cyprus must ensure that their contracts with third-party providers include specific provisions related to service levels, data processing locations, termination rights, and audit rights. This represents a shift from previous outsourcing regulations, which were less prescriptive about the content of such contracts.
Incident Reporting and Regulatory Requirements
DORA mandates strict incident reporting requirements for ICT-related disruptions. Financial institutions must report significant incidents within 24 hours of detection and provide a detailed final report within 30 days. This requirement builds on existing national obligations but introduces more stringent timelines and reporting standards, ensuring that Cypriot regulators are promptly informed about potential systemic risks.
Legal Certainty and Reduction of Compliance Costs
By establishing a common framework for digital operational resilience across the EU, DORA aims to reduce legal uncertainty and compliance costs for financial institutions operating in multiple jurisdictions. For Cyprus companies, this means less ambiguity about their obligations regarding digital resilience, as they can now follow a single set of rules rather than navigating multiple overlapping regulations.
Proportionality Principle
DORA applies proportionally based on an entity’s size, complexity, and risk profile. Smaller financial institutions in Cyprus may have lighter compliance obligations compared to larger entities like banks or investment firms. This ensures that regulatory burdens are appropriately scaled while maintaining robust protections against ICT risks.
Penalties for Non-Compliance
Although DORA does not specify exact penalties for non-compliance, it requires member states like Cyprus to establish rules concerning administrative penalties and remedial measures. Cyprus authorities will need to define these penalties within their national legal frameworks to ensure effective enforcement of DORA’s provisions.
How can our firm assist you?
Legal Advisory on Digital Operational Resilience Act in Cyprus and abroad - Requirements
We can provide expert legal advice on the specific obligations under Digital Operational Resilience Act in Cyprus and abroad, helping obliged entities understand how the regulation applies to their operations. This includes:
ICT Risk Management: Advising on the creation and implementation of ICT risk management frameworks that comply with DORA’s standards, ensuring that firms can identify, manage, and mitigate ICT-related risks effectively.
Incident Reporting: Assisting in setting up procedures for reporting significant ICT incidents within the required 24-hour timeframe and preparing final reports within 30 days, as mandated by DORA.
Contractual Compliance with Third-Party Providers
One of DORA’s key focuses is managing third-party risks, particularly for critical ICT service providers.
This would include:
Draft and Review Contracts: Ensure that contracts with third-party ICT providers include all necessary provisions required under DORA, such as service levels, data processing locations, termination rights, and audit rights
Third-Party Risk Management: Help financial institutions assess and manage risks associated with third-party providers by reviewing existing agreements and ensuring they align with DORA’s requirements
Policy Drafting and Internal Governance
To comply with DORA, financial entities must establish robust internal governance structures. Our team can assist by:
Drafting Policies: Creating or updating internal policies related to cybersecurity, data protection, incident management, and business continuity to ensure compliance with DORA.
Governance Frameworks: Advising on the establishment of governance structures that ensure oversight of digital operational resilience at the board level.
Gap Analysis and Compliance Audits
We would work with you to conduct a gap analysis, identifying areas where current practices fall short of DORA’s requirements. This includes:
Evaluating existing ICT risk management frameworks.
Identifying vulnerabilities in incident response protocols.
Assessing the adequacy of digital operational resilience testing mechanisms
Regulatory Liaison and Reporting
Support with communications, liaising and interacting by acting as intermediaries between obliged entities and national or EU regulators (such as the Central Bank of Cyprus or CySEC). We can support to:
Prepare Regulatory Reports: Assist in preparing reports for regulators regarding compliance with DORA’s requirements.
Liaise with Regulators: Facilitate communication between financial institutions and supervisory authorities during audits or investigations related to digital resilience
Cybersecurity Testing and Risk Mitigation Strategies
DORA mandates regular digital operational resilience testing (such as Threat-Led Penetration Testing - TLPT). Our firm collaborates with cybersecurity experts so as to:
Ensure that testing is conducted in accordance with legal requirements.
Advise on how to use testing results to strengthen compliance frameworks and mitigate risks
Training and Awareness Programs
We can also offer training programs tailored to the needs of financial institutions, educating staff about their responsibilities under DORA and how to handle ICT-related incidents effectively. This helps ensure that all employees are aware of their roles in maintaining digital operational resilience
Penalty Avoidance Strategies
Non-compliance with DORA could result in significant penalties. We can help businesses to make decisions fast, evaluate and take all necessary actions so as to develop strategies to avoid non-compliance by ensuring timely implementation of all required measures and advising on potential legal risks associated with failing to meet DORA’s standards
Conclusion
The implementation of DORA marks a significant evolution in the legal framework governing digital resilience in Cyprus’s financial sector.
By harmonizing ICT risk management practices across the EU, enhancing third-party oversight, and introducing stringent incident reporting requirements, DORA strengthens both national and EU-wide efforts to protect against cyber threats.
By adopting a holistic but tailored approach and review, we can assist obliged entities to adapt their internal processes and governance structures to comply with these new regulations by January 2025 and avoid facing potential penalties from national regulators.
Comments