Cyber security

Why now is the time to prepare for DORA

The Digital Operational Resilience Act (DORA) outlines the EU’s regulatory approach to improving digital operational resilience within the European Union's financial sector.

01 Dec 2023
Mark Hendry
Mark Hendry
Authors
  • Mark Hendry
Shutterstock 2087084479

Endorsed in the Official Journal of the European Union on December 27, 2022, DORA comprises a regulation and three directives.

Financial entities and ICT Suppliers supporting financial organisations have until mid-January 2025 to achieve compliance.

DORA readiness at a glance

DORA

What entities are subject to DORA?

DORA’s jurisdiction is EU-wide. It covers not only financial services entities operating in Europe but also providers of ICT services to the European Financial Sector, regardless of where services are provided from. A full list of financial entities subject to DORA can be found here.  

It isn’t yet clear whether the UK will mirror the EU’s approach to Digital Operational resilience. Many financial organisations operating domestically will already be subject to the PRA’s supervisory statement SS1/21 (Impact tolerances for important business services).

Suggested DORA readiness roadmap

DORA roadmap

If you feel your preparation for DORA is not on track, there is still time to get ready if you act now.

What does DORA require?

Requirements and obligations arising from DORA include those relating to:

  • ICT risk management
  • Third-party risk management
  • Digital operational resilience testing
  • Incident reporting
  • Information sharing

We expect that many organisations will need to incorporate elements of the following into their change and readiness programmes:

  • Identifying and mapping critical business functions
  • Defining impact tolerances
  • Update and creation of new policies, standards and procedures
  • Implementation of updated and newly defined policies and standards, for instance those relating to incident management
  • Making changes to systems and supporting technologies, potentially including migrations to alternative suppliers and supporting technologies
  • Developing or updating and ICT risk management frameworks
  • Updating the information security management system (ISMS)
  • Mapping important third parties and performing enhanced supplier risk management.
  • Working with customer organisations and supplier organisations to integrate their DORA readiness efforts with your own, including changes to third party risk monitoring, reporting, and intervention techniques
  • Updating contracts with suppliers and those who you are a supplier to, e.g., incorporating improved assurance mechanisms
  • Performing Digital Operational resilience testing
  • Ensuring that records of compliance are all in order (or that any remaining gaps are understood and accounted for)

Get in touch today if we can help you

Mark Hendry

Who does DORA apply to?

For a complete list of the financial services entities that DORA applies to click here.

Financial services entities subject to DORA:

  • Investment firms
  • Credit institutions
  • Payment institutions
  • Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
  • Insurance and reinsurance undertakings
  • Data reporting service providers
  • Credit rating agencies
  • Electronic money institutions
  • Trade repositories
  • Management companies
  • Managers of alternative investment funds
  • Crypto-asset service providers and issuers of asset-referenced tokens
  • Central counterparties
  • Central securities depositories
  • Account information service providers
  • Administrators of critical benchmarks
  • Crowdfunding service providers
  • Institutions for occupational retirement provision
  • Trading venues
  • Securitisation repositories

For all of the above, as well as providers of ICT services to the financial sector, it should be noted that DORA introduces obligations over contractual arrangements between financial entities and ICT third-party service providers as well as rules for an oversight framework for critical ICT third-party service providers that provide services to financial entities.

Approval reference 23119399

Additional information

Whilst considerable care has been taken to ensure the information contained within this document is accurate and up to date, no warranty is given as to the accuracy or completeness of any information and no liability is accepted for any errors or omissions in such information or any action taken on the basis of this information.