DORA Watch – August and September 2024

As financial entities and ICT service providers undergo the final stages of implementation of the Digital Operational Resilience Act (DORA) requirements into their systems and processes, it is imperative to understand the legal developments and ongoing updates arising from EU Member States as they go through their respective transposition and alignment processes. Through TerraLex - our global legal network, which provides us with access to 22,000 lawyers from highly regarded and carefully vetted law firms stretching more than 120 countries – we have collated legal updates focusing on DORA and its implications in EU jurisdictions.

Subscribe to DORA Watch

DORA Watch will be published every few weeks. The format allows you to gain insight to each jurisdiction's updates from a short summary. If you would like further information, we and the firms listed would be very happy to answer any questions you may have.

Please note that any jurisdictional coverage is based on relevant updates, which are subject to change issue-to-issue.

Finland

On 6 September 2024, the Finnish Financial Supervisory Authority (the FIN-FSA) held a webinar to address questions related to DORA. During the session, the FIN-FSA announced that it will be updating the relevant guidelines throughout autumn. Additionally, the FIN-FSA shared that its plan to monitor ICT third-party service providers has been postponed from March 2025. Next year, the FIN-FSA will also conduct a thematic review of DORA.

The regulator clarified which financial institutions are required to conduct threat led penetration testing. It appears that only credit institutions, central securities depositories, the most critical trading venues, and certain other key financial entities are subject to these requirements.

For more information, please contact Lauri Liukkonen of Waselius.

Slovakia

The legislative process in Slovakia concerning the implementation of DORA is currently in its first reading at the Slovak parliament. The proposed amendments primarily aim to harmonise Slovakia's legal framework with DORA and transpose Directive (EU) 2022/2556 (the DORA directive). While DORA is directly applicable, specific national measures are necessary, such as expanding the supervisory role of the National Bank of Slovakia (NBS) over the digital operational resilience of financial institutions. The NBS will issue certificates for threat-led penetration tests and oversee compliance in line with DORA. The draft law also amends other financial market laws, including those related to banking, securities, and payment services, to ensure alignment with the DORA directive. Additionally, it amends the Electronic Communications Act to grant NBS access to telecommunications data for investigations into potential DORA violations, based on court decisions.

For more information, please contact Michal Rampášek of PETERKA & PARTNERS.

Slovenia

In Slovenia, it was initially anticipated that a specific act would be adopted to define the implementation rules for DORA. However, the proposer of the legislation (the Financial System Directorate, operating under the Ministry of Finance) has now decided to implement the relevant provisions through a Regulation, as this procedure is faster. The proposed content is currently under review by the Government coalition and is expected to be made public in the coming weeks.

For more information, please contact Tine Mišic of ODI LLP.

Bulgaria

Government publishes a draft law related to implementation of DORA

On 20 August 2024, the Bulgarian Ministry of Finance published for consultation a draft Law on Markets in Crypto-assets (implementation measures related to Regulation (EU) 2023/1114) which will also introduce measures for national implementation of DORA. The consultation was completed on 20 September 2024. The draft law expressly designates as supervisory authorities under DORA the Bulgarian National Bank (“BNB”) and the Bulgarian Financial Supervision Commission (“FSC”) in line with their respective scope of powers to oversee the financial sector. Specific procedures for supervising compliance are also envisaged in the draft law, including powers to impose remedial measures. The BNB will designate a high-level representative in the Oversight Forum while the FSC will designate an observer. The draft law specifies the fees which will be collected by the FSC for attestation of the threat-led penetration test and approval of use of internal testers.

For more information, please contact Georgi Sulev of DGKV.