Skip to main content

Digital Operational Resilience Act (DORA)

The financial sector has, in recent years, become increasingly reliant on information and communications technology (ICT) systems and on information in digital form to deliver financial services, such that it is now of critical importance to the operation of daily functions.

The digitisation and reliance on ICT by financial entities will only continue to accelerate as they seek to harness data and capitalise on the benefits that new technologies, such as generative AI, offer.

As the sector’s dependency on ICT has increased, so too has its vulnerability to cyber risk – which can not only impact the financial entity in question but also, due to the interconnectedness of the industry, impact other financial entities, sectors and even the wider economy.

In response, after a long period of consultation, on 16 January 2023 the European Union’s Digital Operational Resilience Act (“DORA”) entered into force.

Our specialist digital and sourcing lawyers are helping financial services firms and ICT providers comply with the EU DORA regulations. Contact us to find out how we can ensure you are compliant.

What is the Digital Operational Resilience Act?

The Digital Operational Resilience Act (DORA) aims to improve the resilience of digital systems that support financial services operations in the EU. UK financial services firms and some third-party ICT service providers with EU operations must comply with DORA by 17 January 2025.

Digital Operational Resilience Act summary 

DORA applies across the EU on a uniform basis and has the primary objective of providing a comprehensive and unified framework to enhance the digital operational resilience of the EU financial sector and to minimise disruption to financial entities in the EU.

The scope of financial entities captured by DORA extends well beyond EU banks, insurers and payment and electronic money institutions to capture more than 22,000 financial entities operating in the EU, including crypto-asset service providers and crowdfunding service providers (financial entities).

Whilst DORA will not apply directly to financial services firms in the UK, multi-national/UK financial services groups with EU operations will need to ensure that those financial entities are DORA compliant.

DORA also directly applies to certain ICT third party service providers which are designated as “critical” by European Supervisory Authorities (ESAs), including those that are based outside of the EU providing services to financial entities.

Financial entities operating in the EU are required to fully comply with the extensive conditions required of them under DORA by 17 January 2025. Despite the significant challenge financial entities, as well as ICT third party service providers to those financial entities (ICT TPPs), are facing to achieve compliance by this date, the ESAs have confirmed that this deadline will not move and that no additional “transitional period” beyond 17 January 2025 will apply.

Digital Operational Resilience Act timeline

xxx

xxxx

xxxx

xxx

Five pillars of DORA

xxxx
Digital operational resilience testing
xxx
ICT risk management
xxx
Incident management, classification and reporting
xxx
Information sharing
xxx
Third-party risk management
xxxx
Digital operational resilience testing
xxx
ICT risk management
xxx
Incident management, classification and reporting
xxx
Information sharing
xxx
Third-party risk management

Contact our team