ARTICLE
10 September 2024

Deadline For DORA – 17 January 2025!

HC
Herrington Carmichael

Contributor

Herrington Carmichael is a full-service law firm offering legal advice to UK and international businesses. We work with corporate entities of all sizes from large PLCs through to start-up businesses.
The Digital Operational Resilience Act is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025 requiring financial entities in the banking and payments...
United Kingdom Technology

The Digital Operational Resilience Act is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025 requiring financial entities in the banking and payments, insurance and investment sectors to manage their information and communication technology ("ICT") risks strictly and effectively.

DORA applies to certain financial entities and ICT third-party service providers in the UK that work with EU customers or do business with EU financial firms. In scope of businesses falling into these categories will need to establish robust ICT risk management frameworks, manage third party risks, conduct regular digital operational resilience testing, comply with strict incident reporting guidelines and share threat intelligence with other financial service institutions.

Examples of the types of businesses that may be within scope:

  • Banking sector: credit institutions.
  • Payments sector: payment institutions (including those exempted under PSD2), account information service providers (AISPs), electronic money institutions (including those exempted under the second Electronic Money Directive (2009/110) (EMD)).
  • Markets infrastructure: central securities depositories, CCPs, trading venues, trade repositories and data reporting service providers.
  • Investments and funds sector: MiFID investment firms, managers of alternative investment funds (AIFs) and UCITS management companies.
  • Insurance sector: insurance and reinsurance undertakings, and insurance, reinsurance and ancillary insurance intermediaries.
  • Cryptoasset service providers authorised under the EU Regulation on markets in cryptoassets (MiCA) and issuers of asset-referenced tokens.
  • Other financial entities: credit rating agencies, administrators of critical benchmarks, crowdfunding service providers and securitisation repositories.
  • CT third-party service providers – providers of cloud computing services, software, data analytics services. and data centres.

Failure to comply with DORA could result in fines of 1% of your daily turnover (up to 6 months).

If you are unsure whether DORA applies to you, Herrington Carmichael's expert regulatory team will conduct an analysis on your firm's business activities and operations to determine whether your business falls within the scope of DORA. The above analysis will include for example:

Assessment of third party service providers used by your business.ts. The maximum penalty that can be given is £10 million or 4% of the relevant company's worldwide revenue, whichever is greater.

assessing how your business is conducted through subsidiaries, branches or representative offices

review of services offered

Analysis of types of entities covered by DORA and any applicable exceptions.

Analysis of provision or reliance on ICT services

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More