Today marks a critical milestone for financial institutions across Europe as the Digital Operational Resilience Act (DORA) officially comes into force. At this point, we should all be well-acquainted with the essence of DORA. To recap briefly: it sets the framework for ensuring the operational resilience of the financial sector by addressing ICT risk management, incident handling, third-party dependencies, and resilience testing.
If you’re reading this, chances are DORA applies to your organisation. Whether you’re a payment or e-money institution, bank or other credit institution, asset manager, or other financial entity, you should already be implementing the necessary frameworks. But are you fully prepared?
Please note – this regulation isn’t limited to EU-based entities—it also impacts UK firms with operations in the EU or ICT service provisions at the group level. Plus, the possibility of a future UK equivalent means it’s best to stay ahead of the curve.
To help you ensure last-minute readiness, we’ve outlined key focus areas based on our DORA Checklist and recent insights from our DORA 101 webinar. Here is where you should focus your efforts today:
ICT Risk Management
By now, you should have:
- Identified critical business functions: These functions are at the core of your operations and need special protection.
- Established a DORA-aligned risk management framework: This means policies, procedures, and governance structures that meet the act’s requirements.
- Updated ICT policies and business continuity processes: Have your incident response, data protection, and recovery plans been aligned with DORA standards?
- Operationalised internal controls: Ensure that internal processes are in place and working as intended to mitigate ICT risks.
Incident Reporting
Efficient and timely incident reporting is a cornerstone of DORA. Key actions include:
- Aligning incident response procedures with DORA’s reporting requirements.
- Updating your major incident classification criteria to reflect DORA definitions.
- Establishing a reporting template – a standardised format helps streamline communication with regulators.
- Assigning clear roles and responsibilities – your team must know who is responsible for reporting and managing incidents.
Digital Operational Resilience Testing
Testing is not a one-time event. Ensure you have:
- Determined whether you are in scope for threat-led penetration testing (TLPT).
- Developed a comprehensive testing strategy– covering everything from vulnerability assessments to continuity tests.
- Scheduled ongoing resilience testing – regular tests should be planned to keep your systems compliant and resilient over time.
ICT Third-Party Risk Management
Third-party providers pose one of the greatest risks to operational resilience. Ensure you have:
- Identified and categorised ICT third parties and fourth parties – this means knowing who they are and understanding their criticality to your operations.
- Implemented a third-party management framework – including due diligence, oversight, and contractual protections.
- Completed the register of third-party information – this register is essential for tracking and managing risks.
- Notified third parties regarding DORA contract addendums – they need to be aware of the changes and their responsibilities under the new framework.
- Information Sharing
Collaboration with other financial entities and regulators is crucial. Have you:
- Established procedures for information sharing – this includes both routine updates and critical incident communication.
Download our DORA Checklist
With the implementation deadline upon us, now is the time to act decisively. Download our DORA checklist here to verify your compliance across these critical areas. If any gaps remain, prioritise closing them immediately. You can also download our DORA webinar here to gain valuable insights from SMEs. As always, fscom’s team of experts is here to support you with tailored guidance and solutions.
For further assistance, or if you have any last-minute compliance questions, don’t hesitate to get in touch.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
