The Digital Operational Resilience Act is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025 requiring financial entities in the banking and payments, insurance and investment sectors to manage their information and communication technology ("ICT") risks strictly and effectively.
DORA applies to certain financial entities and ICT third-party service providers in the UK that work with EU customers or do business with EU financial firms. In scope of businesses falling into these categories will need to establish robust ICT risk management frameworks, manage third party risks, conduct regular digital operational resilience testing, comply with strict incident reporting guidelines and share threat intelligence with other financial service institutions.
Examples of the types of businesses that may be within scope:
- Banking sector: credit institutions.
- Payments sector: payment institutions (including those exempted under PSD2), account information service providers (AISPs), electronic money institutions (including those exempted under the second Electronic Money Directive (2009/110) (EMD)).
- Markets infrastructure: central securities depositories, CCPs, trading venues, trade repositories and data reporting service providers.
- Investments and funds sector: MiFID investment firms, managers of alternative investment funds (AIFs) and UCITS management companies.
- Insurance sector: insurance and reinsurance undertakings, and insurance, reinsurance and ancillary insurance intermediaries.
- Cryptoasset service providers authorised under the EU Regulation on markets in cryptoassets (MiCA) and issuers of asset-referenced tokens.
- Other financial entities: credit rating agencies, administrators of critical benchmarks, crowdfunding service providers and securitisation repositories.
- CT third-party service providers – providers of cloud computing services, software, data analytics services. and data centres.
Failure to comply with DORA could result in fines of 1% of your daily turnover (up to 6 months).
If you are unsure whether DORA applies to you, Herrington Carmichael's expert regulatory team will conduct an analysis on your firm's business activities and operations to determine whether your business falls within the scope of DORA. The above analysis will include for example:
Assessment of third party service providers used by your business.ts. The maximum penalty that can be given is £10 million or 4% of the relevant company's worldwide revenue, whichever is greater.
assessing how your business is conducted through subsidiaries, branches or representative offices
review of services offered
Analysis of types of entities covered by DORA and any applicable exceptions.
Analysis of provision or reliance on ICT services
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.