The Digital Operational Resilience Act (DORA) is a significant regulatory framework aimed at enhancing the operational resilience of financial entities within the European Union (EU), applicable from 17 January 2025. It emphasises the importance of Information and Communication Technology (ICT) risk management, incident management, operational resilience testing, third-party risk management, and the sharing of cyber threat intelligence.
Understanding DORA
DORA is an EU regulation that ensures financial institutions, and their ICT third-party service providers maintain operational integrity and reliability. It covers a wide range of ICT-related capabilities to safeguard the continued provision of financial services, even during disruptions, such as the global CrowdStrike disruption in July 2024.
DORA requires extensive review and mapping within organisations to ensure that applicable provisions are prepared for and integrated into the risk management frameworks.
DORA has a proportionality principle, which requires entities to implement rules based on their size, risk profile, and complexity. This principle protects smaller entities, ensuring they are not overburdened by the same requirements as larger institutions.
Who is in scope?
Whilst it is an EU initiative, DORA is also relevant to UK-based institutions. Many are impacted either due to their operations in the EU or through group-level ICT service provisions. UK institutions should therefore prepare accordingly, especially considering a UK version of DORA may emerge in the future.
DORA’s scope is broad, encompassing:
- Credit institutions
- E-money institutions
- Investment firms
- Insurance and reinsurance undertakings
- Third-party ICT service providers also have obligations to help financial entities meet DORA’s requirements.
The five pillars
Dora is built around what we in fscom, and others in the financial services industry, call the five pillars. Much of the regulation is built specifically around these five areas.
- ICT risk management
Financial institutions are required to establish robust ICT risk management frameworks. These frameworks must be comprehensive, well-documented, and integrated into the overall risk management system of the organisation. The focus is on ensuring that policies and procedures are mature, regularly reviewed, and adhered to. - Incident management and reporting
Financial entities are required to define, establish and implement an ICT-related incident management process for the detection, management, and reporting of ICT-related incidents. A key objective of DORA is to standardise the criteria for reporting incidents to the regulators, ensuring a consistent and cohesive approach across the financial services industry. - Operational resilience testing
DORA stipulates regular testing of ICT systems to ensure operational resilience. This includes annual testing for most entities, and advanced testing every three years for a smaller subset of entities. The objective is to assess the impact of disruptions and ensure continuity of critical functions. - Third-party risk management
A significant component of DORA is the management of third-party ICT service providers. Financial entities are required to regularly monitor the ability of a third-party service provider to securely provide services without impacting the firm’s overall operational resilience. This involves maintaining detailed registers of third-party providers and ensuring compliance with DORA’s requirements. - Information sharing
The last pillar is the sharing of cyber threat intelligence throughout the financial services industry, either through regulators or the various trade bodies. This pillar is nonmandatory, however it is encouraged under DORA.
Challenges of DORA
Complexity and administrative overheads – The complexity of DORA’s requirements pose a significant challenge for financial entities. The need for cross-functional collaboration within organisations is crucial, as compliance is not solely the responsibility of the compliance department but rather the firm as a whole. The administrative burden of maintaining detailed registers and ensuring ongoing compliance is substantial.
Third-party risk management – Managing third-party risks poses a challenge for firms. Entities must ensure that their third-party providers are compliant with DORA and capable of maintaining operations during disruptions. This involves detailed assessments and potentially renegotiating contracts to include necessary provisions.
Executive buy-in and resource allocation – Securing executive buy-in and allocating the right resources are essential for successful DORA implementation. Organisations must engage stakeholders across various departments, including IT and business continuity teams, to ensure a comprehensive approach to compliance.
Conclusion
DORA represents a significant shift in the regulatory landscape for financial services, emphasising the need for robust operational resilience. Whilst there are challenges, engagement with third-party providers and internal stakeholders can facilitate compliance.
For further guidance on DORA, fscom offers multiple resources to support your compliance journey. Download our DORA webinar here to gain valuable insights from SMEs, or download our DORA checklist here to ensure you are taking the necessary steps to achieve compliance.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
