Under the new rules that will apply from January 2025, financial entities such as banks, insurers, investment firms and fund managers will have to have in place intrinsic arrangements for comprehensive ICT risk management, resilience testing and incident reporting processes, mechanisms for managing ICT third party risks, and information sharing arrangements.

 Notably, affected entities will have to develop and implement structures and capabilities for network and information security, involving several elaborate policies, procedures, and mechanisms that together form a coherent and effective company-wide cybersecurity framework, integrated in their broader operational risk management framework. Meeting the Regulation’s requirements can be very demanding in both time and resources and is expected to be particularly challenging for small and medium-sized firms that do not already have in place sophisticated DORA-like ICT-risk management arrangements.

An article authored by Stefanos Sofroniou, Senior Associate at Elias Neocleous & Co LLC, and recently published on Lexology, discusses the implications of these regulations and offers insights into how financial entities can prepare for and navigate the complexities of compliance with DORA.

For more information, please reach out to Stefanos or your usual contact at our firm.