What is the Digital Operational Resilience Act (DORA)?
The Digital Operational Resilience Act, also known as DORA, is a new regulatory framework adopted by the European Union (EU) on 24 November 2022.
DORA aims to enhance the cybersecurity of information and communication technology (ICT) and ensure that Europe’s financial sector remains resilient in the event of severe operational digital disruption.
In this article, we’ll cover what DORA is, its purpose and scope, and the impact it will have on the security of financial institutions in the EU and UK.
Topics we will discuss include:
- What is DORA?
- The purpose of the DORA regulation
- The scope of DORA
- How will DORA impact financial institutions?
- DORA and the EU
- Enhanced cybersecurity and resilience
- Harmonised regulations
- Regulatory compliance costs
- Third-party risk management
- Increased market confidence
- DORA and the UK
- Regulatory divergence
- Alignment with DORA principles
- Competitive advantage
- Third-party relationships
- Potential regulatory updates
- DORA and the EU
What is DORA?
On 24 September 2020, the European Commission published the first draft of the Digital Operational Resilience Act (DORA); a regulatory framework aimed at strengthening the European financial sector’s resilience to ICT-related incidents.
Key provisions of DORA include:
- ICT risk management: Financial entities must establish and maintain robust ICT risk management frameworks. These include strategies, policies, procedures, and governance.
- Incident reporting: Under DORA, entities are required to promptly report significant ICT-related incidents to relevant authorities, as well as provide regular updates.
- Digital operational resilience testing: Regular testing must be conducted to ensure that ICT systems, policies, and processes can handle operational disruptions. This includes penetration testing and scenario-based testing.
- Third-party risk management: Financial entities must meet resilience requirements by managing risks associated with third-party ICT service providers. This includes monitoring service providers and conducting due diligence.
- Information sharing: Financial entities are encouraged to share cyber threat information to improve collective cybersecurity resilience.
- Governance: Clear governance requirements are established, ensuring that the management body of a financial entity is accountable for the oversight of ICT risk management.
DORA was adopted by the EU on 24 November 2022. The main provisions of DORA will apply from 17 January 2025. By this date, relevant financial entities and their critical third-party technology providers must implement the technical standards established by DORA.
The purpose of the DORA regulation
The primary objectives of the DORA regulation are to:
- Enhance cybersecurity: By establishing specific requirements for managing cyber risks, DORA seeks to improve the cybersecurity posture of financial entities within Europe.
- Ensure operational resilience: DORA aims to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related threats and disruptions.
- Harmonise regulations: DORA seeks to create a consistent and harmonised regulatory framework across Europe.
Before DORA, in the absence of EU-level ICT risk management rules, EU member states issued their own requirements. This, however, resulted in a patchwork of regulations difficult for financial entities to navigate.
With DORA, the EU aims to establish a universal framework for managing and mitigating ICT risks in the financial sector. A shared set of rules across EU member states makes it easier for financial entities to comply and simultaneously improves resilience across the EU financial sector.
The scope of DORA
The Digital Operational Resilience Act applies to all financial institutions in the EU. These include a wide range of financial entities, such as:
- Payment service providers
- Banks and credit institutions
- Cryptocurrency service providers
- Investment firms and trading venues
- Insurance and reinsurance companies
Notably, DORA also applies to certain entities typically excluded from financial regulations, such as third-party service providers which supply financial entities with ICT systems and services. DORA also covers firms that provide critical third-party information services, including data analytics providers and credit rating services.
How will DORA impact financial institutions?
DORA will significantly impact the financial sector—and not just within the EU. UK financial entities with EU operations will also need to navigate the DORA regulations.
DORA and the EU
The unified framework of DORA enhances the overall integrity and operational resilience of the EU financial sector.
The DORA regulation will impact EU financial institutions in the following ways:
Enhanced cybersecurity and resilience
DORA sets out to create a safer, more resilient financial sector within the EU. This means that financial entities will need to invest in better ICT infrastructures and practices to help prevent and mitigate the impact of ICT incidents.
Harmonised regulations
By providing a unified regulatory framework, DORA helps eliminate discrepancies in how different EU member states handle digital operational resilience. This uniformity makes it easier for financial institutions operating in multiple countries to comply with regulations and improve overall regulatory coherence within the EU.
Regulatory compliance costs
Financial institutions within the EU will incur costs related to DORA compliance. Examples of such costs include investments in new technology, staff training, and adjustments to existing processes to ensure they meet the new regulatory requirements.
Third-party risk management
With its emphasis on managing risks associated with third-party ICT service providers, DORA will compel financial entities to conduct thorough due diligence and continuous monitoring of their service providers. This will enhance the overall security of the supply chain.
Increased market confidence
The strengthening of security and resilience within the financial sector is expected to boost confidence among consumers and investors. This can potentially lead to a more stable financial market.
In short, the DORA regulation enhances the cybersecurity and operational resilience of the EU financial sector. It harmonises regulations across member states, reducing discrepancies and compliance complexities for multinational entities.
DORA may impose compliance costs, but it also boosts market confidence by creating a safer, more stable financial environment. This way, the unified framework strengthens the overall integrity and resilience of the EU financial system.
DORA and the UK
UK financial institutions operating in the EU must adhere to both UK and EU regulations.
This means that the DORA regulation will impact UK financial institutions in the following ways:
Regulatory divergence
Post-Brexit, the UK is no longer bound by EU regulations, including DORA. However, UK financial institutions that operate within the EU or have EU customers will still need to comply with the DORA regulations for their EU-based operations.
This situation creates a dual regulatory burden for such entities, as they’re required to comply with both UK and EU regulations.
Alignment with DORA principles
With the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), the UK has its own regulatory framework for operational resilience. It’s not identical to the DORA regulation, but there are a number of shared principles, including robust ICT risk management and incident reporting. The UK may consider aligning its regulations further with DORA to reduce compliance complexity and facilitate smoother cross-border operations for firms operating in both jurisdictions.
Competitive advantage
When dealing with EU clients, UK financial institutions that comply with DORA may leverage their compliance as a competitive advantage, showcasing their adherence to stringent security and resilience standards.
Third-party relationships
Similar to the EU, UK financial entities will need to ensure that their third-party service providers meet the necessary resilience standards. To do so, UK firms may be required to adopt practices and standards closely aligned with DORA – particularly if their service providers are based in the EU.
Potential regulatory updates
In response to DORA, the UK might update its own operational resilience standards to ensure that its financial sector remains competitive and to facilitate regulatory equivalence arrangements with the EU, which could simplify cross-border financial services.
In short, DORA impacts UK financial institutions in a number of ways. It imposes dual regulatory compliance and may prompt the UK to align its resilience standards with DORA to simplify cross-border operations.
As compliance with DORA can be a competitive advantage, the UK might update its regulations to ensure competitiveness and regulatory equivalence with the EU.
Stay ahead of all the latest payments regulations
Here at Brite Payments we believe that it is imperative for any payments intuition, such as oursleve to stay ahead of the game when it comes to new or changing regulations and directives. If you would like to find out more about the latest changes then visit our resource pages for more related materials, such as our PSD3 Explainer.