Operational Resilience

DORA

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation aimed at strengthening the operational resilience of the financial sector against a range of disruptions stemming from Information and Communication Technology (ICT) risks. DORA mandates that banks, insurers, investment firms, and other financial entities establish robust ICT risk management frameworks, report major incidents, conduct rigorous resilience testing, manage risks from third-party service providers, and participate in sector-wide information sharing. Additionally, DORA extends its scope to critical ICT third-parties, such as cloud providers, that serve the financial sector. You can find official information on DORA directly from the European Parliament and Council or the European Banking Authority (EBA).

DOWNLOAD DORA GUIDELINE

Get your free copy of DORA Guideline

DORA Enforcement and Applicability: Key Dates for Financial Sector Resilience

DORA was enforced on 16 January 2023 and will be applicable from 17 January 2025 onwards. The primary objective is to enhance the IT security of financial entities to ensure that the financial sector remains resilient during severe operational disruptions.

This regulation is set to harmonize the rules related to operational resilience for the financial sector, extending its application to 20 different types of financial entities as well as Information and Communication Technology (ICT) third-party service providers.

What are ICTs?

ICTs broadly refer to the technologies, systems, and processes that enable the creation, processing, storage, transmission, and exchange of information. This includes:

  • Algorithmic Trading Platforms: Systems executing trades based on pre-defined algorithms and high-frequency strategies.
  • Anti-Money Laundering (AML) Solutions: Systems to screen customers, identify high-risk clients, and flag potential money laundering activities.
  • Enterprise Resource Planning (ERP): Integrated systems managing supply chain, HR, finance, and other back-office functions.
  • Data: The raw information, structured databases, and the analytics tools to extract insights from data.

Why are ICTs Important?

ICTs have revolutionized virtually every aspect of modern life and business, leading to:

  • Enhanced Productivity: Automation, streamlining workflows, and enabling real-time collaboration.
  • Innovation: Fueling new products, services, and business models across industries.
  • Global Connectivity: Facilitating communication, commerce, and knowledge sharing beyond geographic borders.
  • Improved Decision-Making: Providing access to vast amounts of data and analytical tools.
  • Social Change: Empowering individuals and fostering new forms of community and social action.

DORA establishes a binding, comprehensive ICT risk management framework specifically for the EU financial sector. This framework is aimed at creating a single regulatory environment at the European level to manage risks stemming from ICT and suppliers.
It’s designed to improve cybersecurity and operational resiliency in the financial services sector, complementing existing laws like the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
The regulation also seeks to harmonize existing rules on managing ICT governance, risks, and incident reporting for all financial institutions, ensuring operational resilience against cyber-attacks. This applies to all EU and non-EU companies operating in mainland Europe.

Contact Lana

+44 7807 007 762


Why do you need to comply with DORA?

There are several compelling reasons why financial institutions need to comply with DORA: 

Regulatory Mandate and Penalties: The most immediate reason is that DORA is a legally binding EU regulation. Failure to comply by the implementation deadlines can result in significant fines, reputational damage, and potential restrictions on operating within the EU.

Strengthening Operational Resilience: DORA’s core aim is to build a more robust financial sector capable of withstanding ICT-related disruptions. By implementing the required frameworks, testing, and risk management, you reduce the likelihood and impact of outages or cyberattacks compromising your services.

Improved Cybersecurity Posture: DORA includes specific requirements around ICT security. Complying builds stronger defenses against cyber threats, protecting sensitive customer data and financial assets.

Harmonization of ICT Risk Management: Previously, ICT risk rules varied across EU member states. DORA provides a unified framework, streamlining compliance for institutions operating in multiple countries and creating a level playing field across the sector.

Building Customer & Stakeholder Trust: Demonstrating DORA compliance signals to clients, investors, and regulators that you take operational resilience and the security of their assets seriously. This can be a competitive advantage, foster stronger relationships, and reduce reputational risk.

Aligning with Evolving Risks: The threat landscape is constantly changing. DORA helps you stay ahead of the curve by requiring regular testing and reassessment of your resilience posture against new and emerging threats.

Beyond Compliance: Benefits of Proactive DORA Adoption

Enhanced decision-making: Data and insights gained through DORA compliance inform better risk management and investment decisions in ICT infrastructure and security.
Reduced operational costs: Proactive risk mitigation and prevention can reduce the cost of incidents and outages in the long run.
Innovation: A strong operational foundation enables confident exploration of new technologies and services, knowing you have the resilience to protect them.

WHO DOES IT IMPACT?

DORA is a comprehensive EU regulation aimed at enhancing IT security and operational resilience for a wide range of financial institutions, including banks and investment firms. It extends its scope to include Information and Communication Technology (ICT) third-party service providers, establishing a unified regulatory framework to mitigate risks related to ICT and improve cybersecurity

Asset Managers
Banks
Fintechs

How to comply with DORA?

1. Inventory and Mapping

Review your current:

  • Inventory of ICT third-party service providers (TPPs).
  • Contractual arrangements with TPPs.
  • Map these details to the standardized templates provided by the Implementing Technical Standard (ITS)

2. Systems and Processes

Establish or improve systems and processes for:

  • Collecting, validating, and updating information required for the register of information on TPPs.
  • Reporting this information regularly.
  • Monitoring changes in the risk profile and performance of TPPs

3. Collaboration with TPPs

Communicate with your TPPs about:

  • Their reporting obligations and expectations.
  • The need for their cooperation in providing information.
  • The need for their cooperation in providing information.
  • Consider amending contracts with TPPs to require their compliance with reporting requirements.

4. Policy and Procedures

Develop or update policies and procedures to govern the management of the register of information, including:

  • Roles and responsibilities of personnel involved.
  • Escalation and reporting mechanisms for identified issues.
  • Audit and review activities to ensure ongoing compliance.

1

Gap Analysis and Assessment

Conduct an initial gap analysis to assess the current state of IT security and operational resilience of a financial institution against the requirements of the DORA regulation.
Help identify areas of non-compliance and provide recommendations for improvement.

2

Strategic Advisory

Offer strategic advice on how to align operational resilience strategies with DORA requirements.
Guide on the allocation of resources to meet compliance deadlines and maintain ongoing compliance.

3

Policy Development and Review

Assist in developing, reviewing, and updating policies, procedures, and controls to ensure they meet DORA requirements.
Help in creating a robust Information and Communication Technology (ICT) risk management framework.

4

Training and Awareness

Develop and deliver training programs to enhance awareness and understanding of DORA requirements among staff and stakeholders.
Provide continuous education on evolving DORA requirements and other related EU regulations.

5

Implementation Support

Provide hands-on support in implementing necessary changes to achieve DORA compliance.
Offer technical and operational support in setting up ICT governance structures, incident reporting mechanisms, and other required systems and processes.

6

Third-Party Vendor Assessment:

Conduct assessments of third-party ICT service providers to ensure they comply with DORA requirements.

Help in managing the relationships and contracts with these providers to ensure ongoing compliance.

7

Technology Advisory and Implementation

Advise on the selection and implementation of technologies that can help in monitoring and managing ICT risks as per DORA guidelines.
Support the implementation of Artificial Intelligence (AI) and Machine Learning (ML) technologies in a manner compliant with DORA.

8

Monitoring and Reporting

Assist in establishing monitoring and reporting mechanisms to ensure continuous compliance with DORA requirements.
Help in preparing for audits and inspections by regulatory authorities.

9

Incident Response Planning

Help in developing and testing incident response plans to ensure they are robust and comply with DORA requirements.

10

Liaison with Regulatory Authorities

Act as a liaison between the financial institutions and regulatory authorities, assisting with reporting and ensuring that all regulatory communications are handled in a timely and compliant manner

11

Customized Solutions

Provide tailored solutions to meet the unique needs and challenges faced by different financial institutions in complying with DORA.

DORA Readiness - How do you compare?

Organizations estimated completion rate for key milestones DORA

 
 

ICT Risk Management: Most firms (around 65%) have updated their ICT risk management frameworks recently, yet ongoing updates remain essential.

Third-Party Risk Management: Approximately 70% of firms actively manage third-party risks, but dynamic monitoring remains a challenge.

Operational Resilience Testing: 60% have established testing frameworks, but only 40% conduct advanced testing at recommended frequencies.

Information Sharing: Only 50% of firms utilize established mechanisms effectively to enhance collective defense.

Reporting Requirements: High readiness (around 75%) for meeting reporting requirements, though the detail and accuracy of incident reports can be improved.

Want to hire 

Regulation Expert? 

Book a call with our experts