DORA
The European Union (“EU”) has finalized the Digital Operational Resilience Act (“DORA”), a regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. DORA is an important regulation that aims to enhance the EU financial industry’s operational resilience by setting rules for information and communication technology (“ICT”) risk management and monitoring. DORA's objective is to reduce the risk of business disruption by standardizing the prevention and mitigation of cyberthreats and attacks with a set of technical standards and procedures to ensure financial entities follow unified practices to maintain secure and continuous operations.
Learn more below and how DORA affects Cloudflare and our customers that fall under the scope of the regulation.
DORA is a major new piece of EU legislation that aims to strengthen the cybersecurity and resilience of financial entities. With DORA, the EU aims to ensure financial stability and consumer protection in Europe by taking into account the complexity of ICT services provided to financial entities.
DORA applies to a wide range of financial entities, including banks, credit institutions, and investment firms. DORA also regulates an oversight framework for “critical” ICT third-party service providers if the requirements of Article 31 are met.
The European Supervisory Authorities (“ESAs”) will classify ICT third-party service providers as "critical" based on specific criteria outlined in Article 31. Key criteria are the systemic impacts on the stability, continuity or quality of the provision of financial services in case of a widespread operational disruption of the ICT third-party service, as well as the importance of the financial entities that rely on the ICT third-party service provider.
Once the ICT third-party service provider is designated as “critical,” the ESA will notify the provider, who will be subject to strict oversight and monitoring by the responsible ESA.
Cloudflare has not been designated as a “critical” third-party service provider at this time. However, Cloudflare understands its important role as an ICT provider and is prepared to work with DORA-regulated customers to support their compliance obligations and cooperate with regulatory authorities.
Overall, DORA covers five major pillars:
ICT risk management
ICT-related incident management, classification and reporting
Digital operational resilience testing
Managing of ICT third-party risk
Information-sharing arrangements
Financial entities are responsible for implementing a control framework which must include a digital operational resilience strategy and internal governance to manage ICT risks.
Yes, Article 41(1) mandates the ESAs develop Regulatory Technical Standards (“RTS”). The final draft has been submitted to the European Commission and can be found here. The draft also includes Implementing Technical Standards (“ITS”). The ITS is a set of templates to be maintained and updated by financial entities in relation to their contractual arrangements with ICT third-party service providers. The European Commission is working on the review with the objective to adopt the first standards as directed.
Yes, Article 30 outlines specific key contractual provisions that must be included in the contract between the ICT third-party services providers and financial entities to ensure that relevant ICT risks are addressed properly and can be managed by the financial entity in order to be compliant with the regulation.
Many of the requirements stated under Article 30 are already defined in Cloudflare's standard terms. Cloudflare's DORA mapping document outlines DORA’s contractual requirements in Cloudflare’s current standard terms.
For additional questions or concerns about individual contracts, Cloudflare customers can reach out to their account team.
Learn more about how Cloudflare’s connectivity cloud capabilities help enterprises streamline and map to compliance requirements across multiple standards including DORA by visiting our data compliance and protection page. For information on how Cloudflare helps meet other financial service industry relevant legislation like NIS2, visit our NIS2 Compliance Strategy Hub.
For info on how Cloudflare helps financial institutions ensure security, resiliency, sovereignty and regulatory compliance with redundancy for key security controls and by keeping transactions within regions visit our Cloudflare Banking page.
For detailed instructions, visit Cloudflare’s guide.