About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

DORA Standards Finalized and the Clock is Running

Subscribe to our newsletter

With fewer than five months until the EU Digital Operational Resilience Act (DORA) comes into full force, financial institutions and their Information Communications and Technology (ICT) providers must act swiftly to ensure compliance with one of the most comprehensive regulatory mandates to date.

The full DORA mandates become effective on January 17, 2025, following a two-year implementation period. Financial entities and ICT third-party service providers (ICT TPPs) now have a limited window to prepare for compliance following the recent publication of critical specifications. These include the May publication of Commission Delegated Regulation (EU) 2024/1502, which provides guidance on the criteria for categorising an ICT TPP as ‘critical’. In July, the final draft Regulatory Technical Standards (RTSs) and Implementing Technical Standards (ITSs) were finalized and submitted to the European Commission.

These latest standards outline detailed requirements for incident reporting, resilience testing and third-party risk management, which in-scope firms must implement by the January 2025 deadline. Every regulated firm, irrespective of size, will be required to submit a ranked list of critical third-party suppliers and be ready to defend the methodology behind the ranking.

DORA Governance and Workflow Impacts

DORA requires a substantial overhaul of governance structures within financial entities to ensure top-level accountability for digital operational resilience. Boards and senior management must demonstrate a thorough understanding of ICT risks and actively oversee risk management practices. This includes approving and regularly reviewing the ICT risk management framework, establishing clear responsibilities for monitoring third-party risks, and maintaining oversight of incident response and reporting processes.

To comply with DORA, firms must adapt their workflows to integrate these requirements into day-to-day operations. This includes establishing processes for continuous monitoring and regular assessment of ICT risks, developing standardized procedures for incident detection, classification, and notification, and maintaining rigorous oversight of third-party relationships.

DORA mandates a ‘three lines of defence’ model, wherein ICT risk management, control functions, and internal audit functions are clearly separated and independent. Firms will need to ensure that their governance frameworks align with these requirements, which may involve updating board charters, enhancing management expertise in ICT risk, and establishing dedicated committees to oversee digital resilience.

Workflows will need to be optimized to handle rapid reporting requirements, such as the four-hour initial notification deadline for major incidents, ensuring swift communication between internal teams and external stakeholders. Firms may also need to adjust workflows to support the timely collection, analysis and dissemination of relevant data, creating a more agile and responsive operational environment.

New Data and Technology Challenges

DORA imposes stringent requirements on data management, including the need for secure data handling practices, robust encryption and regular testing of data security measures. This involves implementing comprehensive data classification, retention and protection strategies, particularly in the context of third-party risk management.

Organisations will need to maintain detailed records of ICT-related incidents and third-party interactions, which could require significant updates to data storage and archiving systems. Furthermore, DORA’s requirements for information sharing on cyber threats (Pillar 5) will necessitate the establishment of secure communication channels and protocols for sharing sensitive information with regulators and other stakeholders.

Additionally, regulated institutions will need to enhance their technology infrastructures to manage third-party risks effectively, including systems for vendor management, risk assessment and contract monitoring.

DORA’s Five Pillars

DORA is based on five pillars comprising ICT Risk Management, Incident Response and Reporting, Digital Operational Resilience Testing, ICT Third Party Risk Management, and collaborative information sharing on emerging cyber threats:

  1. ICT Risk Management – DORA requires financial entities to implement a comprehensive ICT risk management framework that includes regular assessments, robust governance, and protective measures like secure configurations and continuous monitoring. This framework ensures that entities can effectively identify, manage, and mitigate ICT risks to maintain operational resilience against cyber threats.
  2. Incident Response and Reporting – DORA sets strict standards for incident response, requiring financial entities to establish clear processes for identifying, managing, and reporting ICT-related incidents. Entities must provide initial notification within four hours of detecting a major incident, an intermediate report within 72 hours, and a final report within one month, ensuring prompt regulatory communication and effective incident management.
  3. Digital Operational Resilience Testing – DORA mandates regular testing of ICT systems to evaluate their defences and identify vulnerabilities. This includes various methods such as vulnerability scans, penetration tests, and threat-led penetration testing (TLPT) to validate the resilience of critical systems against real-world cyber threats, ensuring that entities can withstand, respond to, and recover from disruptions.
  4. ICT Third-Party Risk Management – DORA emphasizes stringent oversight of third-party ICT service providers, particularly those deemed “critical.” Financial entities must conduct thorough risk assessments, maintain detailed third-party registers, and ensure that contracts include specific provisions to manage third-party risks effectively. ICT providers designated as “Critical” must establish an EU subsidiary and comply with direct regulatory oversight.
  5. Information Sharing – DORA promotes proactive information sharing among financial entities, regulators, and other stakeholders regarding cyber threats and vulnerabilities. This collaborative approach enhances situational awareness and fosters a coordinated response to emerging threats, aiming to strengthen the overall cyber resilience of the financial sector.

DORA represents a substantial advancement in harmonizing digital operational resilience requirements across the European Union’s financial sector. Comparisons with other regulatory jurisdictions illustrate both the similarities and differences in regulatory approaches.

Comparisons with the UK Operational Resilience Framework

The UK’s operational resilience framework, established by the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), shares a common goal with DORA: to enhance the resilience of financial institutions against operational disruptions, particularly those arising from ICT risks. However, there are notable differences:

DORA has a broad scope, covering nearly all financial entities within the EU, including banks, investment firms, insurance companies, payment institutions and crypto asset service providers. The UK framework, while also comprehensive, focuses on entities critical to the financial system, such as systemically important banks and financial market infrastructures (FMIs). The UK regime also extends beyond ICT risks to cover any services to UK-regulated firms and FMI entities provided by critical third parties (CTPs).

The UK framework is more principle-based, emphasizing resilience outcomes, and providing flexibility in how firms meet regulatory expectations. It focuses on ensuring that firms can identify their important business services, set impact tolerances, and test their ability to remain within these tolerances during highly disruptive events. In contrast, DORA is more prescriptive, detailing specific requirements for ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management through published standards.

Both frameworks address third-party risk, but DORA imposes stricter requirements, particularly for ICT third-party service providers (ICT TPPs) deemed ‘critical’. Under DORA, these providers must establish an EU subsidiary and are subject to direct supervision by the European Supervisory Authorities (ESAs). The UK’s forthcoming CTP regime, expected to come into force in late 2024, aims to be interoperable with DORA but adopts a risk-agnostic approach covering any service provided by a UK CTP.

Governance and Accountability: Both DORA and the UK framework emphasize senior management and board involvement in overseeing operational resilience. But while DORA explicitly requires a ‘three lines of defence’ model to separate ICT risk management, control functions and internal audit functions, the UK framework focuses on ensuring appropriate governance structures without prescribing a specific model.

Comparisons with US Regulatory Frameworks

In the US, regulatory bodies like the Federal Reserve, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) have issued joint guidance on operational resilience, particularly concerning cybersecurity and third-party risk management.

Key comparisons with DORA include a focus on Cybersecurity. US regulations, such as the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, emphasize cybersecurity as a critical component of operational resilience. DORA also focuses on cybersecurity but extends further, encompassing broader ICT risk management, resilience testing, and third-party oversight, making it more comprehensive in digital operational resilience.

Like DORA, US regulators focus on third-party risk management, emphasizing due diligence, risk assessment, and monitoring of third-party relationships. However, DORA’s requirements are more prescriptive, including mandates for ICT TPPs to establish an EU subsidiary if deemed critical. Such a mandate is not required under US regulations.

DORA has stringent incident reporting requirements and specific response times for progress through the incident management life cycle. The US SEC’s cybersecurity disclosure rule requires public companies to report material cyber incidents within four business days, highlighting differences in the granularity and speed of reporting between the two frameworks.

Comparisons with Global Frameworks and Standards

DORA aligns with international standards and frameworks, such as the Basel Committee on Banking Supervision (BCBS) principles for operational resilience and the International Organization for Standardization (ISO) standards like ISO 22301 for business continuity management.

While DORA aligns with BCBS principles on governance, ICT risk management, and incident management, it provides more detailed regulatory requirements. Similarly, while ISO standards offer best practices for business continuity and risk management, DORA codifies these practices into explicit rules.

Global Reach

DORA’s applicability extends beyond the EU’s borders, impacting non-European firms that provide services to EU-based financial entities. This broad scope ensures that the entire financial ecosystem is covered, with no significant players left out of the regulatory framework, thereby creating a harmonised and robust approach to managing ICT risks across the industry.

While extremely broad in scope, DORA introduces a proportionality principle, where the regulatory requirements are tailored to the size, complexity, and risk profile of each entity. While larger, systemically important institutions must adhere to the full spectrum of DORA’s requirements, smaller firms – such as “small and non-interconnected investment firms” – are subject to a simplified ICT risk management framework. However, even these smaller firms must still supply a complete list of ICT vendors and comply with DORA’s core mandates.

The clock is ticking, and the stakes are high. Regulators will be expecting to see substantial progress and clear lines of sight to full compliance from any firm not in material compliance by the January deadline. Penalties for non-compliance will be severe including fines of up to 2% of total annual worldwide turnover, or up to €1 million for individuals.

Subscribe to our newsletter

Related content

WEBINAR

Recorded Webinar: How to leverage Generative AI and Large Language Models for regulatory compliance

Generative AI (GenAI) and Large Language Models (LLMs) offer huge potential for change across capital markets, not least in regulatory compliance where they have the capability to help firms understand and interpret regulations, automate compliance, monitor transactions in real time, and flag anomalies in the same timeframe. They also present challenges including explainability, responsibility, model...

BLOG

Addressing the Global Refit with deltaconX

ESMA has opted for a big-bang approach to the EMIR Refit, as have the regulators behind similar mandates in the UK and across the Asia-Pacific region. The approach has left many firms scrambling to meet tight and onerous compliance deadlines. “It has been a humbling period for many firms, dealing with the isolating challenges of...

EVENT

ESG Data & Tech Summit London

The ESG Data & Tech Summit will explore challenges around assembling and evaluating ESG data for reporting and the impact of regulatory measures and industry collaboration on transparency and standardisation efforts. Expert speakers will address how the evolving market infrastructure is developing and the role of new technologies and alternative data in improving insight and filling data gaps.

GUIDE

Regulatory Data Handbook 2024 – Twelfth Edition

Welcome to the twelfth edition of A-Team Group’s Regulatory Data Handbook, a unique and useful guide to capital markets regulation, regulatory change and the data and data management requirements of compliance. The handbook covers regulation in Europe, the UK, US and Asia-Pacific. This edition of the handbook includes a detailed review of acts, plans and...