The Digital Operational Resilience Act (DORA) came into law in EU member states on 16 January this year. Many UK entities may also fall within its scope. We explain how the regulation may affect your organisation.
Information and communication technology (ICT) risk has attracted the attention of international regulators and bodies. This has led to the creation of DORA to enhance digital resilience in the financial sector.
Although the reforms after the 2008 financial crisis did strengthen financial resilience, ICT security and digital resilience had been less of a focus area. These operational functions are critical in supporting financial resilience. Coupled with the growth of digitisation and interconnectivity between financial entities, serious ICT breaches now have greater potential to spread and cause chaos, destabilising the financial sector.
DORA aims to address these concerns. It will apply from 17 January 2025, so companies have around 16 months remaining to prepare.
The regulation itself has four key pillars:
- ICT risk management
- ICT-related incident reporting
- Resilience testing
- ICT third-party risk
Who is in scope of DORA?
Financial institutions of any sort within the European Union (EU) are likely affected. There are around 22,000 financial entities and ICT service providers operating in the EU, plus many more outside.
Those in scope include (but are not limited to):
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
- Investment firms
- Cryptoasset service providers
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitisation repositories
- ICT third-party service providers.
Crucially, DORA has an impact on third-party service providers in the ICT industry. Although the specifics may differ, if your organisation offers services to any institution falling under DORA’s scope, it means your organisation is also in scope.
A key feature of the regulation is that the principle of proportionality applies. The level of risk determines the regulatory expectations. This may not solely depend on the organisation’s size, but size can serve as an indicator. There are also exclusions for micro-organisations, defined as companies with fewer than 50 employees, and specific details may vary from country to country.
New draft regulatory standards
In June the European Securities and Markets Authority (ESMA) began its consultation on three draft regulatory technical standards (RTSs) and one draft implementing technical standard (ITS). The June release of the RTSs aimed to provide companies with the opportunity to express their opinion on the proposed regulation in relation to:
- Management of ICT risks
- Reporting of significant ICT-related incidents
- Management of third-party risks.
These draft RTSs are the first batch of mandates to be released, with public consultation due to end on 11 September. Based on feedback, the RTSs will be finalised and submitted to the European Commission by 17 January 2024.
Another set of RTSs will be made available for feedback towards the end of this year. They will focus on:
- Response and recovery (including reporting)
- Testing
- Contractual provisions
- Oversight procedures.
The finalisation of these RTSs is expected to be in July 2024.
What should I do to prepare?
Now is the time for firms to act. The first step is to create a high-level DORA readiness strategy that provides overarching time frames on how the framework will be implemented. This readiness strategy will help firms to prepare for DORA and identify synergies with their other ongoing resilience programmes.
Following this, we recommend a more detailed gap analysis and implementation plan to identify potential additional resources and expenditure that may be needed.
Firms should carefully consider the consultative versions of the RTSs and ITSs when released, as they are usually very similar to the final versions that will be adopted.
If your business would like support on any of the issues raised in this article, please contact our Cybersecurity team, who will be happy to help.