The Digital Operational Resilience Act (DORA) establishes a harmonised and comprehensive framework for information and communication technology (ICT) risk management in the financial sector. It is a directly applicable EU regulation designed to ensure that financial institutions within the European Union can withstand, respond to, and recover from ICT-related disruptions and threats. DORA came into effect on 16 January 2023 and will apply as of 17 January 2025.
Reliance on ICT across the financial sector has introduced new vulnerabilities, making the ecosystem more susceptible to systemic cyber risks within the EU and internationally. An ICT disruption can have cascading effects on the performance, integrity and stability of the financial system and its adjacent industries. As financial services are deployed across multiple jurisdictions, the lack of a unified regulatory framework for ICT risks creates inconsistencies and cost-ineffective implementation of overlapping national rules. This is where DORA's detailed regulatory mechanism plugs the gaps. By harmonising requirements for all financial entities, it ensures a more coordinated and effective approach to managing critical risks via rules on ICT risk-management capabilities, incident reporting, operational resilience testing and ICT third-party risk monitoring.
Below is a brief checklist to facilitate your internal cross-team discussions on how your company (or group) can prepare for compliance by the 17 January 2025 deadline. For tailored, risk-based and practical advice on getting DORA-ready, please reach out to our specialists in the European Tech & AI, Data Privacy & Cybersecurity team at King & Spalding, London.
Does DORA apply to you?
DORA applies to a broad definition of "financial entities", which includes credit institutions, payment institutions, electronic money institutions, managers of alternative investment funds, crypto asset service providers, crowdfunding service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries, institutions for occupational retirement provision and credit rating agencies.
DORA's scope extends beyond the EU's borders, for example, to organizations (in the case of financial entities) that offer certain financial services in the EU market or (in the case of ICT providers) that contract with financial entities that are in-scope of DORA. So, if you are a UK-based financial entity servicing EU investors or having EU-based subsidiaries, you will be required to comply with DORA requirements. Similarly, if a US parent company is providing intra-group ICT services to an in-scope EU financial entity, the US parent company will qualify under DORA as an ICT provider.
Alignment with MiFID II and other financial regulations
DORA also applies to investment firms, trading venues and trade repositories defined under the MiFID II Directive.
As a trading venue, you qualify as a financial entity under DORA if your firm meets the following criteria:
- highest market share at national level; or
- market share at Union level exceeding 5%
In relation to turnover in each of the preceding two financial years in transferable securities, derivatives, structured finance products, emission allowances as defined under MiFID II directive.
What are the five pillars of DORA compliance?
1) ICT risk management
Financial entities must build a comprehensive risk management framework deploying strategies, policies, procedures, ICT protocols and tools to address ICT risks, taking into account their size, risk profile, and the nature, scale and complexity of their services and operations.
2) ICT incident reporting
Financial entities must establish an ICT-related incident management process to detect, record and notify ICT-related incidents and significant cyber-threats. ICT-related incidents shall be classified based on their criticality, duration, geographical spread, data losses and economic/reputational impact. In the event of a significant cyber-attack (including to one of their third-party providers), financial entities shall report such incident within specified time limits to the relevant authority.
3) Digital operational resilience testing
Compliance requires a digital operational resilience testing program which includes vulnerability assessments, penetration testing through cyber-attack simulations, scenario-based testing by examining resilience against hypothetical disruption scenarios and threat-let penetration testing (TLPT) for certain entities.
4) Third-party risk management
Financial entities must maintain a register of contractual arrangements with ICT third-party service providers. As well as contractual requirements (see below) DORA also specifies pre-contractual safeguards and due diligence requirements to be carried out by financial entities in ensuring that ICT providers comply with appropriate information security standards. Additionally, cyber risks should be appropriately covered with thresholds/caps, as the case may be, to be negotiated with the insurance provider.
5) Information sharing on threats and vulnerabilities
Financial entities are encouraged to share cyber threat information to collectively leverage individual knowledge and practical experience at strategic and operational levels toward enhancing capabilities to adequately defend and protect against cyber risk.
Practical steps on how to prepare
A) Gap Analysis and Remediation
- Evaluate current ICT practices and assess existing ICT risk management frameworks, cybersecurity protocols, incident response plans, and vendor management systems. Next, compare these with the requirements outlined in DORA to identify gaps using a mapping exercise and gap analysis. Use the gap analysis to prioritise areas for improvement and remediation.
B) Build or Enhance an ICT Risk Management Framework
- Governance: Ensure robust governance structures to oversee ICT risk management. Appoint responsible officers or committees.
- Risk assessment: Regularly assess ICT risks, taking into account operational, legal, and financial impacts.
- Policies and procedures: Establish comprehensive ICT risk management policies covering cybersecurity, business continuity and disaster recovery and data back-up solutions and ensure these align with DORA.
- Implement an ICT incident reporting processes:
- Establish an internal reporting framework for ICT-related incidents.
- Define thresholds for reporting significant incidents to regulators.
- Ensure timely notification of regulators (typically within 1-3 days as specified by DORA) and include detailed incident analysis and review.
- Train staff to identify and escalate ICT incidents effectively.
- Develop a comprehensive digital operational resilience testing
programme – conduct regular testing of systems to ensure they
can withstand ICT disruptions, including:
- Vulnerability assessments
- Penetration testing
- Disaster recovery drills
- Simulated cyberattacks
- Collaborate with third-party experts to validate testing methodologies.
- Document test results and remediate identified vulnerabilities.
- Training and awareness: conduct initial training on DORA, and regular training sessions on identifying cyber threats, responding to incidents, and following escalation procedures.
C) Contractual Requirements
- Determine which agreements fall within the scope of DORA: due the wide definition of ICT services ("digital and data services provided through ICT systems") financial services entities will need to assess each vendor contract individually and make a determination.
- Update contracts with ICT service providers to flow-down DORA mandated provisions, including provisions for: service-level agreements (SLAs), audit rights, security standards, incident reporting and exit assistance. This could be done by way of an amendment or inserting a "DORA addendum" which the parties agree takes precedence over the underlying agreement.
- Further requirements exist in relation to ICT services that support a "critical or important function" of the financial services entity.
DORA compliance is not a one-time task but a continuous process. Companies need to establish a compliance team to monitor changes in regulatory requirements and oversee ongoing compliance in this area as it increases in importance. In response, business will need to regularly update policies, systems, and practices to reflect evolving threats and new technologies.
Critical' versus Non-Critical ICT Providers
DORA doesn't apply to non-critical ICT third party service providers directly i.e., by imposing any operational resilience obligations on ICT providers. Of course, such providers will need to be familiar with DORA for any discussions with their customers in respect of changes to their contracts.
DORA introduces a direct oversight regime that means a particular European Supervisory Authorities (ESAs) i.e., European Banking Authority (EBA), European Securities and Markets Authority (ESMA) and European Insurance and Occupational Pensions Authority (EIOPA) will be designated as a "Lead Overseer" that will hold supervisory powers over the ICT service provider. The ESA will provisionally designate the ICT service provider as 'critical', which it will then have six weeks to challenge. Lead Overseers will create a plan tailored to each critical ICT provider and the critical ICT providers must also maintain an adequate business presence in the EU. Within 12 months of their designation, any critical ICT provider will need to set up an EU subsidiary.
Enforcement
The ESAs shall ensure compliance with DORA requirements along with the power to impose sanctions for breaches. The competent authority is empowered to receive access to relevant documents, carry on-site inspections or investigations, summon representatives of financial entities for oral or written explanations and propose corrective or remedial measures for breach of DORA requirements.
DORA by itself does not directly dictate sanctions for breach but instead directs EU Member States to lay down appropriate administrative penalties including criminal penalties. Financial entities may be subject to fines of up to 2% of their total annual worldwide turnover or, in the case of an individual, a maximum fine of EUR 1,000,000.
Regarding critical ICT third party providers, the relevant ESA shall also require financial entities to temporarily suspend, either in part or completely, the use or deployment of services provided by the critical ICT third-party service provider until risks have been identified or addressed. Similarly, the ESA is also empowered to impose fines for non-compliance against critical third-party ICT service providers.
Conclusion
In response to EU's regulatory developments in the digital space, the UK is aligning its approach with the EU in prioritising cybersecurity through its own legislative measures. Among the upcoming legislative advancements, the UK Cyber Security and Resilience (CS&R) Bill is expected to play a crucial role in enhancing UK's cybersecurity framework as it progresses through Parliament next year. Building on this momentum, the UK Information Commissioner's Office (ICO) has signed Memorandums of understanding with both the National Crime Agency and the National Cyber Security Centre, to coordinate the approach to tackling cybercrime in the UK.
Following the first set of technical standards published by the ESAs on, inter alia, the classification of ICT-related incidents, we will be monitoring further releases and the latest guidance and can keep clients updated on the latest so that they can stay ahead of the game.
Special thanks to Sanjana Vijayakumar for assistance in drafting this article.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
