The Digital Operational Resilience Act (DORA) in summary

Why is DORA important?

DORA Regulation para 3 sets out why DORA is needed - "...the existing high level of interconnectedness across financial entities, financial markets and financial market infrastructures, and particularly the interdependencies of their ICT systems, could constitute a systemic vulnerability because localised cyber incidents could quickly spread from any of the approximately 22 000 Union financial entities to the entire financial system, unhindered by geographical boundaries".

What does DORA set out to achieve?

DORA Regulation para 6 sets out "...the paramount importance of making the Union financial sector more resilient, including from an operational perspective to ensure its technological safety and good functioning, its quick recovery from ICT breaches and incidents, ultimately enabling the effective and smooth provision of financial services across the whole Union, including under situations of stress..."

When do you need to provide DORA information?

The 17th of January 2025 is when the DORA Regulation becomes effective. From this date the competent authority can request the required information, as set in DORA. Penalties and fines are likely to be levied if financial entities are not DORA compliant.

Article 6 paragraph 5 states: "The ICT risk management framework shall be documented and reviewed at least once a year... A report on the review of the ICT risk management framework shall be submitted to the competent authority upon its request."

This means that from January 2025, at a minimum, you need to have documented and available:

1. Your ICT risk management framework

2. The risks that have been identified and the actions you are taking to address them

3. Your DORA compliance levels (with supporting evidence) and

4. Your register of information which are Excel templates that include information on all of your business functions, including those deemed critical, all of your third-party provider contractual agreements and how they are inter-related i.e., which ICT contractual agreements are linked to which functions.

Who does DORA apply to?

DORA applies to more than 22,000 financial entities and ICT service providers operating within the European Union, including many delivering services directly from the UK. Since Brexit numerous UK financial entities have set-up some form of EU presence to support current or future planned activities making these financial entities also subject to DORA Regulation.

UK financial organisations are subject to various UK regulations and regulators including; NIS, the Financial Conduct Authority (FCA) and the Prudential Regulatory Authority (PRA). UK regulators are working towards enhanced requirements on digital operational resilience indicating potential alignment, in part, with DORA.

Financial entities should obtain advice as to their legal status with regards to the DORA Regulation.