The Digital Operational Resilience Act (DORA)

Simplifying the Compliance Process with the New EU IT Resilience Legislation
Get in Touch
The Digital Operational Resilience Act (DORA) is a crucial regulation established by the European Union to enhance the digital resilience of financial institutions amidst rising cyber threats. Compliance with DORA, mandatory from 17 January 2025, is vital for maintaining robust operational security and protecting sensitive financial data.

This regulation requires financial institutions (including banks, insurance companies, investment firms, and third-party service providers) to implement stringent measures to prevent and mitigate cyber threats, and to withstand, respond to, and recover from any IT-related disruptions.

Why is DORA Needed?

The financial sector is increasingly reliant on technology and on tech companies to deliver financial services. This dependence increases vulnerability to cyber attacks and incidents. Poorly managed IT risks can disrupt cross-border financial services, impacting other companies, sectors, and the broader economy.

That’s why the Digital Operational Resilience Act is crucial. DORA aims to ensure the financial sector’s digital operational resilience, safeguarding against these threats and ensuring stability across the entire economy.

Timeline for Implementing DORA

Countdown to launch day

  • days
  • hours
  • minutes
  • seconds
🎉

The three European Supervisory Authorities (ESAs) — the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA) — are developing a set of policy products to facilitate the implementation of DORA.

16 January 2023
DORA enters into force

26 May – 23 June 2023
Public consultation on the call for advice on criticality criteria and fees

19 June – 11 September 2023

30 September 2023

8 December 2023 – 4 March 2024

17 July 2024
Delivery of the second batch of policy documents

17 January 2025
Application of DORA

From 2025
Start of the oversight activities for the ESAs (incl. CTPPs designation)

Does DORA Impact Your Organisation?

Twenty different types of financial services organisations of all sizes will be affected by the Digital Operational Resilience Act, including:

Financial Services & Insurance
Crypto
Lenders
FS Supply Chain
FinTech
Investments firms
Trading venues
Payments
Financial System providers
Credit rating agencies
Crowdfunding

The Five Pillars of DORA

DORA is built on five key pillars focused on IT risk management, reporting, and testing. Each pillar is designed to ensure that financial organisation can withstand, respond to, and recover from IT incidents effectively.

ICT Risk Management

Identify and manage risks related to information and communication technology (ICT).

Incident Reporting

Report IT related incidents promptly and accurately to regulatory authorities.

Digital Operational Resilience Testing

Regularly test systems and processes to ensure they can withstand and recover from disruptions.

Management of Third-Party Risks

Manage and monitor risks associated with third-party service providers.

Information Sharing

Share information about threats and incidents with other financial entities and regulators.

The Consequences of Non-Compliance

As stated, you have until 17 January 2025 to be compliant with the requirements of DORA. Organisations found to be non-compliant with DORA may be fined up to 1% of their average daily global turnover from the previous year. This fine can be levelled daily until the organisation is found to have attained compliance, meaning significant fines can be applied for non-compliance, especially over a protracted period.

As a result, you should look to carry out a gap analysis against the requirements of DORA and the five pillars as soon as possible to ensure you have sufficient time to implement any identified remediations ahead of the January deadline.

Who Will Enforce These Penalties?

Now that the DORA proposal has been formally adopted, EU member states will now pass national legislation to transpose its aspects into law. Concurrently, the European Supervisory Authorities (ESAs) will develop technical standards for all financial services institutions, covering sectors from banking to insurance to asset management. National competent authorities will oversee compliance and enforce the regulation as needed.

How Can We Help?

Ensuring DORA compliance is a multifaceted process that requires a proactive and comprehensive approach to cyber security.

But here’s some good news: It’s highly probable that your current operational resilience and cyber security strategies already align with some of DORA’s requirements. DORA works harmoniously with established governance and operational frameworks such as ISO 27001. Achieving compliance might only necessitate minor adjustments to your existing policies, procedures, and risk management strategies, alongside the introduction of targeted resilience testing procedures.

Regardless of your current stage of DORA compliance readiness, Daisy has the expertise, tools, and experience to guide you seamlessly from start to finish. Our qualified professionals have assisted numerous companies across the financial services sector in implementing robust frameworks to achieve full compliance.

Your Roadmap to DORA Compliance

DORA requires a strategic roadmap that addresses key requirements and ensures robust operational resilience within the financial sector.
Take a look at our roadmap to success which outlines seven essential steps to achieving and maintaining compliance, enhancing operational resilience, and gaining cyber security readiness ahead of the 2025 deadline.

  1. Current State Assessment and Gap Analysis
  2. Develop a Compliance Strategy
  3. Enhance Risk Management Frameworks
  4. Establish Incident Response Protocols
  5. Conduct Operational Resilience Testing
  6. Manage Third-Party Risks
  7. Monitoring and Continuous Improvement

Learn More