Download your free copy of the latest Financial Technologist magazine here.
The Digital Operations Resilience Act (DORA) was conceived by the European Commission back in 2020. It is a subset of a larger digital finance package intended to ensure the financial sector in the European Union is capable of maintaining more resilient operations, following series of high-profile disruptions. It has been in force as of 16 January 2023, and must be complied with by 17 January 2025.
In the UK, the implementation of operational resilience regulation was accelerated by the series of serious public outages within banking sector IT systems. This covered technical failures, risk management and governance failures, among other resilience issues affecting millions of customers who experienced disruption to in-branch, telephone, mobile and online banking services. The failures culminated in millions of pounds worth of fines handed out by the FCA and PRA for operational resilience misconduct.
In response to this in 2019, the FCA in partnership with the Bank of England and PRA, published their final rules and guidance on new requirements to strengthen operational resilience in the financial services sector. The DORA has incorporated some of the key principles, while also taking inspiration from other EU rules like PSD2 and the NIS Directive.
While DORA is an EU regulation, many UK entities may fall in scope for DORA compliance, such as those with legal entity in the EU, or those with commitments to provide assurance on operational or financial resilience. This calls for an aligned approach to meeting the requirements of the DORA and UK’s resilience regime.
What does the DORA mean for UK entities?
Compared to UK regulation on Operational Resilience, the scope of the DORA has wider application; 20 types of financial entity are in scope for compliance from 2025, plus ICT service providers to these entities. This includes but is not limited to, credit institutions, payment institutions, investments firms, crypto-asset service providers, insurers and reinsurers, audit firms and pension firms.
Like UK Operational Resilience regulation, the DORA will also extend to critical ICT service providers of the EU’s financial sector. Though where DORA regulation expands, is through more stringently and directly regulating critical third parties regarding establishing an EU subsidiary, mandating cyber security measures and powers of the regulator to enforce contract suspensions or cancelations. Additionally, under the DORA certain contractual provisions are applicable to all ICT service providers, not just critical third parties.
Considering the notable additions in scope, it is estimated that 22,000 entities operating within the EU will be required to comply with the DORA.
Comparing the DORA: where the regulation stands apart Regarding structure, the DORA leverages other risk disciplines with numerous integration points, but the requirements are more expansive, with the DORA adopting a multi-discipline approach and an increased level of expectation around managing ICT risk. The legislation consists of five fundamental pillars, which are essential for ensuring robust digital operations.
■ ICT risk management and governance: the financial entity is required to define, approve, oversee and be accountable for the implementation of ICT risk management framework. Primary considerations for financial institutions are around the role of leadership in steering digital resilience strategy and achieving end-to-end management of critical business services.
■ Incident reporting: the DORA specifically sets out requirements for firms to have capabilities in place, and staff to observe vulnerabilities, cyber threats and ICT incidents and cyber-attacks and the impact on digital resilience. Key questions for financial institutions to consider are around incident monitoring, thresholds and consistent reporting requirements across EU states.
■ Digital operational resilience testing: DORA requires an ICT related incident management process to detect and manage relevant incidents. Alerts should be put in place to establish early warning indicators. Key points related to the pillar are around ensuring the right types of tests are used for the respective system or applications.
■ ICT third party risk: the DORA more directly regulates critical ICT third parties in relation to managing third party risk. A deliberate strategy for the management of third party suppliers is required.
■ Information sharing: cyber threat information and intelligence can be shared with the industry, including IOCs, tactics, techniques and procedures, cyber alerts and configuration tools.
Navigating the DORA Maze: Keys to a Successful Program
It is clear that the DORA casts a wide net, incorporating a complexity that requires a strategic approach, which starts with building a strong organisational foundation.
■ Ditch the Silos, Embrace Collaboration: the DORA's diverse demands call for across-functional programme team. IT, security, operations, legal, and compliance professionals must collaborate, bringing their unique expertise to the table, in order to meet the multi-disciplinary demands.
■ Leadership Sets the Tempo: A dedicated leader, should set the direction and drive accountability. They ensure the programme stays on track, navigates challenges, and communicates effectively with stakeholders and the
wider business.
■ Knowledge is Power: Equip your team with the right tools. Invest in training programmes that demystify the DORA’s requirements and empower staff to fulfil their roles in supporting compliance. Every team member contributes to the overall resilience posture.
■ Build on Past Foundations: The DORA doesn't exist in a vacuum. Look for overlaps and synergies with existing resilience programmes such as the UK Operational Resilience regulation.
■ Leverage established policies and controls where applicable, avoiding unnecessary reinvention of the wheel.
■ Weaving it Together: Seamless integration is key. Ensure clear mapping of roles and responsibilities between the DORA and existing teams. Foster collaboration and knowledge sharing, and establish unified reporting and metrics that capture both sets of goals.
Guiding financial institutions to resilience and innovation
The DORA is an ongoing journey, not a destination. Regularly review and adapt your programme as regulations evolve, threats change, and your organisation grows.
The DORA brings opportunity for financial entities to make a step change in resilience, efficiency and security. Organisations must be adaptable in prioritising the key pillars of the DORA to foster innovation and sustained success. They will be empowered to strengthen their defence against emerging threats and deliver excellence in financial services, and a commitment to continuous improvement strengthens your resilience and secures your future in the digital age.
Download your free copy of the latest Financial Technologist magazine here.