The Digital Operational Resilience Act

DORA applies to a range of financial entities. Those include but are not limited to:

• Banks
• Investment firms
• Insurance companies
• Payment service providers
• Crypto-asset service providers
• Critical third-party ICT service providers

If you work in or into the financial sector you should double-check your compliance requirements.

In general, DORA will not apply to financial entities who do not:

• Operate in the EU
• employ more than 10 employees and have an annual turnover and/or balance sheet that does not exceed EUR 2 million.

However, all financial entities in the UK should evaluate their current and future activity to ensure they do not breach compliance.

In all likelihood, no. Although many financial entities and third-party suppliers might not think they are subject to DORA, it’s likely that they will be caught in the supply chain sooner than later.  Thousands of entities and ICT suppliers will find requirements for compliance being worked into contracts.

It’s likely that UK-centric resilience acts from the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority will increasingly seek alignment with EU legislation, so non-compliance is unlikely to be an option. 

DORA came into force on 16 January 2023. Companies have until 17 January 2025 to ensure compliance – so it’s not too late, but the clock is ticking.

Key requirements of DORA include:

• Establishing and maintaining robust ICT risk management frameworks.
• Conducting regular and thorough ICT risk assessments.
• Implementing appropriate security policies and measures.
• Reporting significant ICT-related incidents.
• Performing regular testing of ICT systems and controls.
• Managing third-party risks, particularly from critical ICT service providers.

DORA mandates that financial institutions integrate ICT risk management into their overall risk management. That means embedding the ability to identify, protect against, respond to, and fully recover from ICT-related incidents into their strategy and day-to-day operations. To ensure this, companies must ensure continuous monitoring and management of their ICT systems and infrastructures.

The Act requires entities to report significant ICT-related incidents to relevant authorities within set timeframes. This includes:

• Initial notification
• Timely interim updates
• Final reports detailing the incident’s impact, response, and recovery measures. 

In order to fulfil this, institutions must be able to recognise these incidents and act accordingly.

DORA requires entities to perform ICT risk assessments regularly. The frequency depends on an institution’s risk profile and the complexity of its ICT systems. If this changes, the frequency of assessments will change with it. It’s most cost-effective for companies to ensure their systems comply around the clock so there are no surprises when assessments come around.

Third-party providers are an integral part of a financial institution’s operations. The ct formalises that any risks posed by third parties supporting ICT are managed, particularly those deemed critical. This includes:

• Conducting due diligence before engaging third-party providers.
• Establishing and maintaining comprehensive contracts with third-party providers.
• Regularly monitoring the performance and security measures of providers.
• Ensuring third-party providers support and adhere to an institution’s ICT risk management framework.

DORA requires entities to conduct regular testing of their ICT systems, which includes:

• Vulnerability assessments.
• Penetration testing.
• Scenario-based testing. 

Institutions must ensure that these tests cover all critical ICT assets and processes and are performed by qualified professionals.

Penalties for non-compliance with DORA vary but include fines and regulatory sanctions. Penalties will take into account:

• The nature and severity of non-compliance 
• Specific regulations of member states where the entity operates.

Companies should take into consideration their specific circumstances and their current infrastructure as well as sourcing qualified support. In summary, organisations need to:

• Review and update their ICT risk management frameworks and policies.
• Train staff on DORA requirements and ICT risk management practices.
• Conduct a gap analysis to identify and address areas of non-compliance.
• Establish processes for regular testing, monitoring, and reporting of ICT systems.
• Develop and maintain a robust incident response plan.
• Ensure proper management and oversight of third-party ICT service providers.

Cyber security is certainly a large part of DORA’s resilience requirements, and gaining a lot of attention. But the Act also covers the availability of service and market risks.  Any loss of service could breach DORA, whether it’s down to a compromised network or business insolvency. 

Companies need to be resilient across the board, from the Board to the firewall. Building robust continuity plans into company strategy is just as vital as cyber security compliance.

Companies can find more information about DORA from the following sources:

• Official publications and guidelines from the European Commission.
• Professional advisory services specializing in financial regulations and compliance.
• Industry associations and forums focused on financial technology and cybersecurity.
• Xcelerate – our services support companies to understand and ensure they are DORA compliant.

Just get in touch with us through our contact form and we’ll be happy talk through next steps and set up a DORA review meeting.