What is the Digital Operational Resilience Act?

The Digital Operational Resilience Act, or “DORA”, is a significant piece of legislation which calls for a renewed focus on operational risk in light of the financial sector’s increasing reliance on digital technology.

By now all financial institutions and technology companies should have worked out whether they need to comply with DORA.

If you need to comply you should be implementing the necessary changes to your contracts, internal governance and risk management arrangements at pace, and with a close eye on the regulatory technical standards and implementing technical standards.

This article:

• Explains who’s affected by DORA.
• Summarises some of DORA’s key requirements.
• Sets out some of the key areas of your business that you’ll need to consider, and potentially change, in order to comply with DORA.

Why does DORA matter?

A reliable and secure financial system benefits everyone.

DORA aims to mitigate the systemic vulnerabilities across the financial system which exist due to the “high level of interconnectedness across financial entities, financial markets and financial market infrastructures, and particularly the interdependencies of their ICT systems”[1].

DORA is supplemented by technical standards and delegated acts, which cover certain technical points of implementation.

Do I need to comply with DORA?

Unlike the EU’s existing operational risk rules, DORA isn’t limited to specific financial services but covers the financial sector as a whole. All financial entities in the EU (and the European Economic Area) need to comply with DORA, including:

• Credit institutions.
• Payment institutions.
• Account information service providers.
• Electronic money institutions.
• Investment firms.
• Crypto-asset service providers.

This includes entities that are currently outside the scope of the existing European Banking Authority Outsourcing Guidelines.

You may also need to comply with DORA if you’re an ICT provider. This is because DORA subjects ICT third-party service providers, who are designated as “critical”, to an oversight framework overseen by European Supervisory Authorities (i.e. the European Banking Authority (“ESAs”)).

This is important because it means that, for the first time, technology businesses are subject to the direct oversight of the financial services regulators.

Crucially, DORA’s impact isn’t limited to EU-based businesses, and if you’re a United Kingdom based business you need to tread carefully.

DORA could have a direct impact on UK-based businesses because UK financial entities and ICT providers operating in the EU will need to comply with DORA, and UK technology providers considered ‘critical’ under DORA will face direct regulation by EU authorities.

DORA could also have an indirect impact on UK-based businesses because DORA requires financial entities to monitor their ICT service supply chains. This theoretically involves not only monitoring their immediate providers, but also their immediate providers’ subcontractors. This increases the potential for a UK provider to find itself impacted by DORA, even if it’s not providing ICT services to any financial entities in the EU.

Even if you’re a UK-based business that isn’t caught by DORA, you need to understand how the UK’s equivalent plans to ensure operational resilience, sometimes referred to as “UK DORA”, impact your business.

If I need to comply, what should I be doing?

DORA is scheduled to take effect in January 2025, and the delegated acts and standards required to implement it are in the process of being drafted and published.

So time is running out for affected financial entities and ICT providers…

If you’re a financial entity

If you need to comply with DORA you need to start implementing the necessary changes now (if you’ve not done so already).

DORA imposes specific obligations on financial entities, in areas such as:

• Internal governance.
• ICT risk management.
• ICT incident management.
• Digital operational resilience testing.
• ICT third-party provider risk management.

The specific obligations include:

• Defining and implementing an ICT risk management framework.
• Implementing the required ICT incident reporting and testing measures.
• Maintaining a register of existing ICT third-party service provider contracts.
• Undertaking the required risk assessments.
• Ensuring that contracts include certain specified provisions.

If you need to comply with DORA you should carry out a gap analysis to identify the areas in which you’re currently non-compliant. This analysis will help to identify the changes that you need to make, which in turn will form the basis of your project plan.

The necessary changes may include changes to your policies and procedures, contracts with ICT service providers, and your internal governance arrangements.

If you’re an ICT provider

The new oversight framework empowers ESAs to request information from, investigate and inspect critical ICT providers. The criteria for determining whether an ICT provider is critical or not will be set out in one of DORA’s delegated acts, and therefore ICT providers won’t be designated as critical until this delegated act has been adopted.

If you’re designated as critical, you’ll need to:

• Set up a subsidiary in an EU Member State (if you don’t have one already) within 12 months of your designation as critical.
• Notify all the financial entities that you provide services to that you’ve been designated as critical.
• Consider what updates to your policies and procedures will be required in light of the key contractual requirements for the provision of ICT services to financial entities, and also consider how the more stringent contractual requirements, which apply to a financial entity’s critical or important functions, will impact you.

What about “UK DORA”?

If you’re a UK-based business operating in financial services you’ll need to keep a close eye on “UK DORA” as it evolves. As explained above, if you operate in both the EU and the UK you’ll need to navigate the EU and UK regimes in parallel.

We’ll be publishing some further insights on the new UK regime very soon.

How we can support you

Our expert financial services and technology lawyers can help you by:

• Briefing your internal stakeholders and management, on DORA.
• Identifying any relevant activities/services.
• Undertaking a gap analysis and an initial impact assessment.
• Project mapping/planning.
• Refreshing policies and procedures.
• Contract remediation.

Please don’t hesitate to contact us if you need support. Find out more about our Banking & Finance, and Technology & Digital teams.

[1] Recital (3) of Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on Digital Operational Resilience for the Financial Sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011