Rules Navigator

Infringement procedures launched over delayed DORA transposition

Berlaymont Building Headquarter of the EU Commission.
Photo: Thierry Monasse/Getty Images

Jean Hurley

 Click to share on Facebook (Opens in new window/tab) Click to share on Twitter (Opens in new window/tab) Click to share on LinkedIn (Opens in new window/tab) Click to share on WhatsApp (Opens in new window/tab)

Full implementation is vital for strengthening the EU’s financial sector against increasing digital risks.

The European Commission has taken decisive action to ensure the uniform application of the Digital Operational Resilience Act Directive (EU) 2022/2556 (DORA) across the European Union, initiating infringement procedures against 13 Member States.

These procedures, marked by the issuance of formal letters of notice, target Belgium, Bulgaria, Denmark, Greece, Spain, France, Latvia, Lithuania, Malta, Poland, Portugal, Romania, and Slovenia for their failure to fully transpose DORA into their national legislation.  

The DORA Directive represents a cornerstone of the EU’s efforts to bolster the digital operational resilience of its financial sector. By establishing clear and consistent rules for financial entities, including banks, insurance companies, and investment firms, DORA aims to safeguard the smooth functioning of the single market in an increasingly digital landscape.  

Deadline passed

The deadline for Member States to transpose the DORA Directive into their national laws was set for January 17, 2025. This deadline underscores the urgency of addressing the growing risks associated with the rapid digitalization of financial services. The Commission’s proactive stance highlights the critical importance of a unified approach to digital operational resilience across the EU.  

“Full implementation of the legislation is key to strengthen the digital operational resilience of financial entities across the EU by addressing risks associated with the increasing digitalisation of financial services,” the Commission stated in a press release.

The letters of formal notice serve as the first step in the infringement procedure. The 13 Member States in question are now required to provide a comprehensive response to the Commission within two months, detailing their plans to complete the transposition process and notify the Commission of the measures they have implemented.  

Failure to provide a satisfactory response within the stipulated timeframe could result in the Commission issuing a reasoned opinion, the next stage in the infringement procedure. Continued non-compliance could ultimately lead to the matter being referred to the Court of Justice of the European Union.

The DORA Directive is designed to:

  • Standardize digital operational resilience practices: It establishes a harmonized framework for managing ICT risks across the financial sector.  
  • Enhance supervision of critical ICT third-party providers: It imposes oversight on entities that provide essential ICT services to financial entities.  
  • Improve incident reporting and management: It mandates robust mechanisms for reporting and managing ICT-related incidents.  
  • Strengthen testing of digital operational resilience: It requires financial entities to conduct regular testing to assess their resilience against cyber threats.  

The Commission’s firm action underscores its commitment to ensuring a secure and resilient digital financial ecosystem within the EU. The timely and complete transposition of the DORA Directive is essential for safeguarding the stability and integrity of the financial sector in the face of evolving digital threats.

, , , ,

You may also like