Operational Resilience

DORA

What is DORA?

Digital Operational Resilience (DORA) in the financial sector is the name of EU regulation to enhance operational resilience of the provision of financial services in the EU in face of a potentially broad range of ICT risk related disruptions. DORA prescribes to banks, insurance undertakings, investment firms and other financial institutions to: To define and manage e robust governance and ICT risk management framework, To report significant incidents to the authorities, Test their resilience against various ICT risk scenarios, Govern ICT risk of third parties, and participate in the development of the cyber resilience report. The regulation also applies to the most critical ICT third-parties in terms of ICT services provided to the financial sector (e.g. cloud providers). The European Parliament and Council authorities and the European Banking Authority (EBA) have the official resources on DORA.

DOWNLOAD DORA GUIDELINE

Get your free copy of DORA Guideline

DORA Enforcement and Applicability: Key Dates for Financial Sector Resilience

DORA came into effect on 16 January 2023 and will be effective from 17 January 2025 onwards. The key aim is to strengthen the cyber resilience of financial institutions to protect the financial system against severe disruptions.

This regulation is expected to “align operational resilience requirements for the financial sector, while expanding their scope to cover 20 different types of financial institutions and ICT third-party service providers.”

What are ICTs?

ICTs broadly refer to the technologies, systems, and processes that enable the creation, processing, storage, transmission, and exchange of information. This includes:

  • Algorithmic Trading Platforms: Systems executing trades based on pre-defined algorithms and high-frequency strategies.
  • Anti-Money Laundering (AML) Solutions: Systems to screen customers, identify high-risk clients, and flag potential money laundering activities.
  • Enterprise Resource Planning (ERP): Integrated systems managing supply chain, HR, finance, and other back-office functions.
  • Data: The raw information, structured databases, and the analytics tools to extract insights from data.

Why are ICTs Important?

ICTs have revolutionized virtually every aspect of modern life and business, leading to:

  • Enhanced Productivity: Automation, streamlining workflows, and enabling real-time collaboration.
  • Innovation: Fueling new products, services, and business models across industries.
  • Global Connectivity: Facilitating communication, commerce, and knowledge sharing beyond geographic borders.
  • Improved Decision-Making: Providing access to vast amounts of data and analytical tools.
  • Social Change: Empowering individuals and fostering new forms of community and social action.

DORA establishes a binding, comprehensive ICT risk management framework specifically for the EU financial sector. This framework is aimed at creating a single regulatory environment at the European level to manage risks stemming from ICT and suppliers.
It’s designed to improve cybersecurity and operational resiliency in the financial services sector, complementing existing laws like the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR).
The regulation also seeks to harmonize existing rules on managing ICT governance, risks, and incident reporting for all financial institutions, ensuring operational resilience against cyber-attacks. This applies to all EU and non-EU companies operating in mainland Europe.

Contact Lana

+44 7807 007 762
Email Lana
Lana on LinkedIn

Why do you need to comply with DORA?

There are several compelling reasons why financial institutions need to comply with DORA: 

Regulatory Mandate and Penalties: The most immediate reason is that DORA is a legally binding EU regulation. Failure to comply by the implementation deadlines can result in significant fines, reputational damage, and potential restrictions on operating within the EU.

Strengthening Operational Resilience: DORA’s core aim is to build a more robust financial sector capable of withstanding ICT-related disruptions. By implementing the required frameworks, testing, and risk management, you reduce the likelihood and impact of outages or cyberattacks compromising your services.

Improved Cybersecurity Posture: DORA includes specific requirements around ICT security. Complying builds stronger defenses against cyber threats, protecting sensitive customer data and financial assets.

Harmonization of ICT Risk Management: Previously, ICT risk rules varied across EU member states. DORA provides a unified framework, streamlining compliance for institutions operating in multiple countries and creating a level playing field across the sector.

Building Customer & Stakeholder Trust: Demonstrating DORA compliance signals to clients, investors, and regulators that you take operational resilience and the security of their assets seriously. This can be a competitive advantage, foster stronger relationships, and reduce reputational risk.

Aligning with Evolving Risks: The threat landscape is constantly changing. DORA helps you stay ahead of the curve by requiring regular testing and reassessment of your resilience posture against new and emerging threats.

Beyond Compliance: Benefits of Proactive DORA Adoption

Enhanced decision-making: Data and insights gained through DORA compliance inform better risk management and investment decisions in ICT infrastructure and security.
Reduced operational costs: Proactive risk mitigation and prevention can reduce the cost of incidents and outages in the long run.
Innovation: A strong operational foundation enables confident exploration of new technologies and services, knowing you have the resilience to protect them.

WHO DOES IT IMPACT?

DORA is a comprehensive EU regulation aimed at enhancing IT security and operational resilience for a wide range of financial institutions, including banks and investment firms. It extends its scope to include Information and Communication Technology (ICT) third-party service providers, establishing a unified regulatory framework to mitigate risks related to ICT and improve cybersecurity

Asset Managers
Banks
Fintechs

How to comply with DORA?

1. Inventory and Mapping

Review your current:

  • Inventory of ICT third-party service providers (TPPs).
  • Contractual arrangements with TPPs.
  • Map these details to the standardized templates provided by the Implementing Technical Standard (ITS)

2. Systems and Processes

Establish or improve systems and processes for:

  • Collecting, validating, and updating information required for the register of information on TPPs.
  • Reporting this information regularly.
  • Monitoring changes in the risk profile and performance of TPPs

3. Collaboration with TPPs

Communicate with your TPPs about:

  • Their reporting obligations and expectations.
  • The need for their cooperation in providing information.
  • The need for their cooperation in providing information.
  • Consider amending contracts with TPPs to require their compliance with reporting requirements.

4. Policy and Procedures

Develop or update policies and procedures to govern the management of the register of information, including:

  • Roles and responsibilities of personnel involved.
  • Escalation and reporting mechanisms for identified issues.
  • Audit and review activities to ensure ongoing compliance.

1

Gap Analysis and Assessment

Perform the first gap analysis to evaluate level of IT security and operational resilience in a financial institution under the scope of DORA regulation against DORA regulation requirementsIdentify gaps and non-compliance points, proposing solutions.

2

Strategic Advisory

Advise on how best to map out operational resilience strategies to the DORA standards assist with the prioritisation of resourcing to meet the deadlines for compliance and ongoing compliance.

3

Policy Development and Review

Contribute to the development, review and update of policies, procedures, and controls to ensure compliance with DORA requirements. Assist in the development of a comprehensive Information and Communication Technology (ICT) risk management framework.

4

Training and Awareness

Develop and provide training courses in order to raise awareness and knowledge about DORA obligations for employees and stakeholders alike; Continue providing knowledge of the changing DORA and other relevant EU Regulations;

5

Implementation Support

Provide hands-on assistance to make required changes to become DORA-compliant. Provide technical and operational support in establishing ICT governance frameworks, incident reporting and other necessary systems and processes.

6

Third-Party Vendor Assessment:

Assess third-party ICT service providers for compliance with DORA requirements.

Assist in managing relationships and contracts with third-party ICT service providers for continuous compliance.

7

Technology Advisory and Implementation

Recommendation and deployment of technology to enable monitoring and management of ICT risks in-line with DORA guidance.Support implementation of Artificial Intelligence (AI) and Machine Learning (ML) technology in accordance with DORA.

8

Monitoring and Reporting

Contribute to the establishment of systems to monitor and report to verify ongoing compliance with DORA requirements Prepare for (regulatory) authority audits and inspections.

9

Incident Response Planning

Assist in the development and testing of incident response plans to confirm that they are effective and meet DORA obligations.

10

Liaison with Regulatory Authorities

Serve as intermediary between financial entities and regulators for reporting and overseeing all regulatory-based communication to assure accurate, timely, and legally compliant information is disseminated.

11

Customized Solutions

Customize solutions based on individual requirements and difficulties of various financial institutions for fulfilling DORA.

DORA Readiness - How do you compare?

Organizations estimated completion rate for key milestones DORA

 
 

ICT Risk Management: Though IT risk management frameworks of most companies (about 65%) have been revised in recent times, continuous updating will be necessary.

Third-Party Risk Management: About 70% of firms actively monitor third parties for risk, however, ongoing, dynamic assessment is difficult.

Operational Resilience Testing: 60% already have a test framework in place, yet, only 40% are performing advanced testing at the right frequencies.

Information Sharing: Only 50% of firms utilize established mechanisms effectively to enhance collective defense.

Reporting Requirements: High readiness (around 75%) for meeting reporting requirements, though the detail and accuracy of incident reports can be improved.

Want to hire 

Regulation Expert? 

Book a call with our experts

Hire US