When we start talking about DORA, it is essential to understand its historical context. So, let’s try to look deeper into the history of the Digital Operational Resilience Act.

DORA was not created in a vacuum; it was developed in the context of the Digital Finance Package, but before that, several regulatory documents were aimed at the same goal: protecting critical systems (for example, financial) from cyber threats.

NIS (DIRECTIVE 2016/1148)

The NIS Directive (EU 2016/1148) is a directive on the security of networks and information systems. It focuses on network and information systems critical for service availability within the EU to protect the Union’s critical infrastructure and economies. The Directive aims to improve the functioning of the internal market and requires Member States to ensure a high-standard security level of network and information systems across the Union.

Fintech Action Plan

It was introduced on March 8, 2018, with the main purpose of presenting a regulatory framework for fintech businesses to easily operate within all EU jurisdictions while safeguarding cybersecurity standards, personal data protection, and the stability of the financial and banking sector. Making the EU the global resilient hub for the FinTech industry.

The Action Plan has presented steps to implement the use of new technologies that contain the following measures:

• Crowdfunding regulation
• Consistent licensing requirements for innovative business models
• Reviewing the suitability of rules and ensuring safeguards for new technologies
• Removing obstacles for rendering cloud services

The Action Plan includes the proposal to regulate crowdfunding as one of the fundamental types of access to funding for start-ups and other small businesses that mostly deal with FinTech.

Digital Finance Package

The EU Digital Finance Package, adopted by the European Commission in September 2020, aimed to create a competitive EU financial sector that provides consumers with access to innovative financial products while ensuring consumer protection and financial stability. It includes a digital finance strategy and legislative proposals on crypto-assets and digital resilience. The package addresses gaps in existing EU legislation to accommodate new digital financial instruments and technologies within the scope of financial regulation. Additionally, the EU Digital Finance Platform initiative supports innovation in finance and aims to build an accurate single market for digital financial services.

Digital Finance Strategy

Reinforcement of the digital operational resilience of financial market participants was a necessary cross-cutting measure introduced in September 2020 because the EU cannot afford to have the operational resilience and security of its digital financial infrastructure and services called into question. There is also a need to minimize the risk of client funds being stolen or their data being compromised. Alongside this strategy, the Commission presented a proposal designed to enhance the financial sector’s operational resilience.

The decision about the Digital Operational Resilience Act was made here:

The Commission was proposing the necessary adaptations to the existing financial services legislative framework concerning consumer protection and prudential rules to protect end-users of digital finance, safeguard financial stability, protect the integrity of the EU financial sector, and ensure a level playing field.

DORA (REGULATION 2022/2554)

On December 14, 2022, the European Parliament and the European Council adopted Regulation (EU) 2022/2554 on digital operational resilience in the financial sector (DORA). It entered into force on January 17, 2023, and is applied from January 17, 2025. Together with DORA, the EU Commission presented a legislative act on markets for crypto assets (MiCAR), a pilot project for DLT-based market infrastructures, and a strategy for digital financial systems.

NIS 2 (DIRECTIVE 2022/2555)

The “NIS 2” or Directive 2022/2555 is a European Union act that specifies cybersecurity requirements that need to be implemented by EU companies that are considered to be critical infrastructure. It was introduced in 2022 and became effective in January 2023. Each EU country defined its cybersecurity laws (Article 41) and made the national law sections effective by 20226/2027. Whereas NIS 2 specified the minimum level of cybersecurity to be achieved. In practice, this means that companies in some countries must comply with the minimum specified in NIS 2. In other countries, they must comply with stricter cybersecurity requirements specified in local laws.

Compared to NIS, NIS2 expands its EU-wide security requirements and scope of covered organizations and sectors to improve the security of supply chains, simplify reporting obligations, and enforce more stringent measures and sanctions throughout Europe.

NIS 2 became a de facto standard for critical infrastructure that other (non-EU) countries are emulating—a very similar scenario has already happened in non-EU countries with privacy regulations that are very similar to the EU GDPR.