The EU Digital Operational Resilience Act
The EU's Digital Operational Resilience Act (DORA) came into force on 16 January 2023, ushering in a new era of cybersecurity and operational resilience standards for the financial sector.
Broad scope
DORA’s scope is very broad, targeting a wide range of entities operating in the financial and insurance sectors such as credit institutions, payment providers, e-money providers, investment firms, crypto-asset service providers, alternative investment fund managers, and insurance and reinsurance companies. It also applies to critical third-party providers providing the financial sector with information and communication technology (ICT) services, such as cloud computing platforms and data analytics.
Uniform rules and requirements
DORA introduces a comprehensive regulatory framework aimed at enhancing the security and resilience of ICT systems for financial services firms across the European Union. At its core, it seeks to establish a harmonised set of rules and requirements to bolster the digital operational resilience of financial entities, requiring them to implement stringent risk management practices, robust resilience testing measures, and effective incident response and business continuity plans. Firms must also conduct thorough risk assessments of their ICT systems, third-party dependencies, and outsourcing arrangements, ensuring that potential vulnerabilities are identified and addressed proactively.
Reporting obligations
The Act imposes heightened oversight and reporting obligations on financial institutions. Regulated entities will be required to promptly report any major ICT-related incident. Firms should also notify, on a voluntary basis, significant cyber threats to the competent authorities, as well as participating in information and intelligence sharing in relation to cyber threats and vulnerabilities.
DORA readiness
DORA will become effective on 17 January 2025. Before then, firms and ICT service providers will need to take a number of steps to ensure their Compliance with DORA’s requirements including:
- Conducting Risk Assessments
- Updating ICT Risk Management Frameworks
- Implementing Updated Incident Management Processes
- Updating Business Continuity and Disaster Recovery Plans
- Carrying out Digital Operational Resilience Testing
- Implementing Incident Reporting Mechanisms
How can we help?
The digital landscape is evolving rapidly, bringing exciting new opportunities but also new risks. The team at Fladgate understands that having reliable and secure digital operations is crucial for organisations to succeed in view of the increasing number of regulations and laws that companies must follow related to digital systems, data and cybersecurity.
Our team can help with reviewing and updating policies, procedures and controls, including governance, risk management and incident management, as well as carrying out enhanced Third-Party Risk Management supporting Firms and their ICT service providers to implement measures to manage risks associated with third-party service providers, including due diligence, monitoring and contractual arrangements.
If you would like to discuss any of the above or require support, please contact a member of our digital operational resilience team.
