DORA Compliance: What Financial Firms Need to Know About the EU Digital Operational Resilience Act

What Is DORA and Why Does It Matter?

The EU Regulation on Digital Operational Resilience (DORA) applies from 17 January 2025 and is applicable to most financial entities in the EU.

Although DORA does not apply in the UK, financial services firms and ICT service providers based in the UK should acknowledge DORA if they provide services within the EU.

The Purpose of DORA: Strengthening Digital Resilience

DORA sets out operational resilience requirements both for financial services firms in their use of information and communication technology (ICT) services and for third parties providing those ICT services. Its objective is to enhance the security within the financial sector, ensuring that Europe’s financial industry remains resilient in the event of a cyber-attack, and is able to respond to all types of ICT-related disruptions and threats.

Who Must Comply with DORA?

• Banking sector: Credit institutions.
• Payments sector: Payment institutions electronic money institutions
• Markets infrastructure: Central securities depositories, central counterparties (CCPs), trading venues, trade repositories and data reporting service providers.
• Investments and funds sector: Markets in Financial Instruments Directive (MiFID) investment firms, managers of alternative investment funds (AIFs) and UCITS management companies.
• Insurance sector: Insurance and reinsurance undertakings, ancillary insurance intermediaries.
• Other financial entities: Credit rating agencies, administrators of critical benchmarks, crowdfunding service providers and securitisation repositories.
• Cryptoasset service providers
• Other third-party service providers

The Five Pillars of DORA Compliance

ICT risk management

Financial entities must establish an internal process to manage ICT risk effectively. They are also required to implement a comprehensive ICT risk management framework covering strategies, policies, procedures, and implement effective protective and preventive strategies. Key steps include regular risk assessments, ongoing updates to Incident Response plans, and continuous ICT environment monitoring.

ICT-related incident management, classification and reporting

Financial entities must establish processes to detect, manage and document all ICT incidents, and determine major incidents.

Digital operational resilience testing

Financial entities are required to run tests to identify, mitigate and eliminate any weaknesses in digital resilience. Tests should be conducted by independent parties. Entities are also required to occasionally perform advanced Threat-Led Penetration Testing for ICT services which impact critical functions.

Management of ICT third-party risk

Financial entities are required to harmonise key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring approach and thoroughly conduct due diligence on ICT third parties. Additional obligations include reporting to supervisory authorities, mandatory risk assessments and maintaining a register of all arrangements. Critical ICT third-party service providers will operate under a Union Oversight Framework, which is authorised to issue recommendations for mitigating identified ICT risks.

Information-sharing arrangements on cyber threat information and intelligence

Financial entities may establish arrangements amongst themselves to exchange cyber threat information and intelligence. Financial entities are required to inform the supervisory authorities if they take part in any arrangement.

Consequences of Non-Compliance

Failure to comply with DORA may result in administrative fines. For example, Luxembourg regulators (e.g., the Commission de Supervision du Secteur Financier (CSSF) or the Commissariat aux Assurances (CAA)) can impose administrative fines of up to EUR5 million or 10% of an organization’s annual total turnover.

How We Can Help You Achieve Stay Compliant

1. Identify what needs to change: We can review your ICT, cyber, and risk processes and determine whether you meet DORA requirements.
2. Update Your Policies and Contracts: We can draft/ update required documentation, including ICT risk policies and contracts to comply with DORA regulations.
3. Help manage third-party and ICT-provider risks: Through due diligence, contract reviews and negotiation of required rights (audit, access, exit)

Reach out to our Head of Corporate and Commercial Law, Andrew Gordon.