Laying the groundwork for DORA compliance

Financial entities and third parties will have to ensure compliance with the Digital Operational Resilience Act (DORA) by January 2025 — which means it’s time to start preparing today.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members

Since the 2008 financial crisis, regulators have been campaigning for greater resilience, highlighting the potential areas of disruption to firms and their customers across a variety of business operations.

Flash forward to September 2022, and the European Commission, European Parliament, and European Council answered this call by reaching a provisional agreement on the wording for DORA. Enterprises are now tasked with taking a more proactive approach to enhancing data transparency, risk mitigation strategy, and their classification and reporting of IT incidents. With total regulatory compliance required by 2025, it’s time for companies to start strategizing.

First things first: What is DORA?

The Digital Operational Resilience Act, or DORA, introduces a comprehensive regulatory framework to all financial entities regulated at an EU level.

DORA aims to homogenize the requirements across the EU so that financial organisations are able to withstand, respond to, recover from, and maintain their operations even under severe operational disruptions. The objective of DORA is to address ICT risks more comprehensively and to strengthen the operational resilience of digital systems in the EU financial sector.

The requirements relate to:

  • ICT risk management
  • classification and reporting of ICT-related incidents
  • digital operational resilience tests
  • contractual agreements between ICT third-party service providers and financial entities
  • the supervisory framework for critical ICT third-party service providers
  • rules for the exchange of information and more.

Empowering your team for full DORA compliance

Financial entities and third parties have to ensure compliance with DORA by January 2025 — and this regulation has a broad reach. To name just a few, this applies to: all credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, data reporting service providers, insurance and reinsurance undertakings, and more.

With compliance requirements looming, companies subject to DORA regulations must begin preparing for the challenges – and opportunities – that accompany this new regulatory framework, which starts with:

  • understanding the key principles of DORA (there are 56 articles)
  • integrating this new regulatory framework with their other third-party and operational resilience initiatives, as well as their IT governance policy frameworks
  • leveraging the opportunities and avoiding the pitfalls of DORA compliance.

While we await the release of technical specifics that this legislation will mandate during 2024's RTS rollout, in-scope firms will need to begin to discuss DORA compliance at the earliest opportunity.

DORA is pushing enterprises to rethink their regulatory frameworks, and in doing so, also offers an opportunity to improve, streamline, and automate risk management and digital operational resilience.

It’s critical to begin the conversation on DORA compliance today — and to begin laying the groundwork that will empower your team to:

  • review – or build – IT governance policy frameworks
  • assess the risk inherent to IT infrastructure
  • deliver a clear policy framework that drives action.

Mitratech hosted a virtual webinar on 17 May on ‘Expert Perspectives: Implementing DORA, Mastering the Challenges and Opportunities’. Watch it on demand here.