Receive the latest insights, news and more direct to your inbox.
The Digital Operational Resilience Act (DORA) contains rules designed to strengthen the operational resilience of financial entities operating in the European Union. The legislation takes effect on 17 January 2025. Below, our DORA experts provide an overview of the regulation, the organisations it affects and the penalties for noncompliance.
A comprehensive regulatory framework, DORA aims to safeguard the financial services sector and its customers against Information and Communication Technology (ICT)-related incidents by enhancing how organisations mitigate, document and react to potential threats and vulnerabilities.
DORA has introduced rigorous responsibilities for financial institutions and their essential third-party providers. It makes an organisation's management body—boards, executive leaders and senior stakeholders—responsible for ICT management by requiring that they define appropriate risk-management frameworks, assist in the execution and oversight of these strategies and stay abreast of the evolving ICT risk landscape.
Unlike previous regulations, DORA applies to all companies operating in the financial services sector, including traditional and digital banks, e-money and payment institutions, insurance and reinsurance, asset managers, credit institutions and private equity houses. It also holds these organisations accountable for detailing the oversight and management process of critical third-party providers within their ICT risk management frameworks.
Institutions are increasingly dependent on the services of third parties, such as cloud services and SaaS providers, to deliver digital offerings, which creates new risks for financial institutions and the market more broadly.
As seen during the July 2024 CrowdStrike outage, which affected airlines, banks, professional services firms and a wide array of other companies, incidents at third-party providers have wide-reaching implications. DORA aims to enhance financial institutions’ processes and policies for managing third-party providers, conducting due diligence and responding should a third-party incident occur.
Operational resilience has been at the forefront of regulators’ agendas for the past few years. For instance, the Central Bank of Ireland brought in guidelines for operational resilience that took effect in December 2023. DORA, however, is more ambitious in terms of both the requirements for firms and the timeline for implementation.
For instance, DORA contains specific requirements for how firms should identify, react, report and classify major ICT-related incidents—all of which brings an enhanced level of risk management practice to the sector. Another good example is DORA’s requirements for digital operational resilience testing.
Currently, many financial services firms conduct testing; however, they do not necessarily have strong documentation, processes and controls around these tests. Once DORA takes effect, institutions must show an appropriate level of oversight, management and governance of testing and other critical components for operational resilience.
DORA compartmentalises digital operational resilience into five key pillars.
This pillar aims to transform ICT-risk management from a reactive process to a proactive one. It involves the development and implementation of regular risk assessments, evaluation practices, mitigation strategies, incident response plans and processes for raising risk awareness throughout an organisation.
This pillar standardises the process for incident reporting within financial entities throughout the EU. It requires that institutions implement systems that monitor, detect, describe, report and analyse significant incidents.
Because DORA stresses the importance of transparency, the incident reporting framework must include procedures for reporting incidents to internal and external stakeholders.
This pillar ensures that financial institutions can survive cyber threats. It requires that organisations conduct periodic testing to evaluate their cyber vulnerabilities and responses and then improve their practices based on the results.
This pillar strengthens the relationship between financial institutions and their critical third-party providers. By mandating that institutions have detailed contracts with their ICT providers, conduct ongoing due diligence and have a robust process for offboarding, DORA aims to ensure that third-party relationships don’t compromise operational resilience.
This pillar seeks to raise operational resilience awareness and increase the sharing of practices/lessons learned throughout the sector. Organisations must share information securely to increase collaboration and resiliency among financial institutions.
The European Supervisory Authorities (ESAs) have the power to impose fines for noncompliance. Firms that violate DORA’s requirements face fines of up to two percent of their total annual worldwide turnover, and an individual faces a maximum fine of 1,000,000 euro.
Third-party providers designated as critical by the ESAs face even higher fines for noncompliance— up to 5,000,000 euro or, for an individual, a maximum fine of 500,000 euro. If a financial entity fails to report a major ICT-related incident or threat, the ESAs can also impose a fine.
At the outset, implementing DORA requirements can be daunting. The depth and breadth of requirements across areas such as incident reporting and third-party risk management require action, and knowing where to begin can be tricky.
We support institutions of all sizes in their ongoing journey to DORA compliance. Our first-hand experience, bolstered by our involvement with our EU network of firms, brings strength to our service offerings, and our clients attest that by clarifying the scope and key dependencies, we have helped them avoid potential pitfalls and ensured compliance to the standard required.
We can provide differing combinations of services to create a best-fit model for DORA implementation that meets your organisation’s specific needs and ensures compliance by the January 2025 deadline.
