DORA Watch - November 2024

As financial entities and ICT service providers undergo the final stages of implementation of the Digital Operational Resilience Act (DORA) requirements into their systems and processes, it is imperative to understand the legal developments and ongoing updates arising from EU Member States as they go through their respective transposition and alignment processes. Through TerraLex - our global legal network, which provides us with access to 22,000 lawyers from highly regarded and carefully vetted law firms stretching more than 120 countries – we have collated legal updates focusing on DORA and its implications in EU jurisdictions.

Subscribe to DORA Watch

DORA Watch will be published every few weeks. The format allows you to gain insight to each jurisdiction's updates from a short summary. If you would like further information, we and the firms listed would be very happy to answer any questions you may have.

Please note that any jurisdictional coverage is based on relevant updates, which are subject to change issue-to-issue.

Germany

It was planned that the enforcement of DORA in Germany would be realised through the national law on the digitalisation of the financial market (“FinMaDiG”). The draft is in the Bundestag committees at the moment. However, due to the current political circumstances it is unlikely that this national law will be adopted in due course. The German supervisory authority, BaFin, should nevertheless be able to enforce DORA from the start of its validity in January. FinMaDiG would only have regulated further details.

BaFin has currently announced in its priority report on the activities of insurance supervision that it will focus on the enforcement of IT security. In addition, the development of penetration tests, for which DORA requires certain companies, has progressed; BaFin published further information on the design. The BaFin website also contains a series of further implementation instructions on the basis of which BaFin intends to enforce DORA in Germany.

For more information, please contact Dr. Kristina Schreiber of Loschelder.

Denmark

The Danish Financial Supervisory Authority has inserted a new chapter into the Danish Financial Business Act (Lov om finansiel virksomhed section 333). The new chapter implements the NIS 2 Directive for the designated IT providers (operators of financial digital infrastructure) and imposes a number of additional requirements that follow from the DORA regulation. This is in order to close the commercial “gap” between DORA and NIS2 seen from the perspective of IT providers targeting financial institutions (e.g. data centre service providers subject to NIS2).

On 18 November 2024, the Danish Financial Supervisory Authority announced the companies that have been designated as operators of financial digital infrastructure. Six different companies have been designated by name and must therefore comply with the NIS2 / DORA requirements set out in the new chapter of the Financial Business Act.

For more information, please contact Kasper Bilde Nielsen of Bech-Bruun.

Finland

The Ministry of Finance has submitted proposals for a decree on information regarding recovery and resolution plans for credit institutions and investment firms, as well as amendments to certain existing decrees. These proposals aim to align national regulatory provisions with the requirements of the DORA Amending Directive. The proposed changes are relatively minor and do not significantly alter the current framework.

For more information, please contact Johanna Heikkinen of Waselius.