Dora (Digital Operational Resilience Act) – What You Need To Know

DORA, the Digital Operational Resilience Act, is a regulation introduced by the European Union (EU) aimed at strengthening cyber resilience within the financial sector. It is part of the broader EU digital finance strategy, designed to ensure that financial institutions can withstand, respond to, and recover from ICT (Information and Communication Technology)-related disruptions or threats, such as cyberattacks or system failures.

Although the UK is no longer part of the EU, DORA will still have a significant impact on the UK’s financial sector due to the global interconnectedness of financial markets and cross-border operations of UK-based firms.

DORA was adopted in December 2022 and will take effect from January 17, 2025.

Key Features of DORA

1. Scope: Applies to a wide range of financial entities, including banks, insurance companies, payment institutions, fintech firms, and ICT third-party service providers (e.g., cloud services).
2. ICT Risk Management: Requires firms to establish comprehensive frameworks for managing risks associated with ICT systems and processes.
3. Incident Reporting: Mandates firms to report significant ICT-related incidents in a standardized manner to the relevant local authorities.
4. Digital Resilience Testing: Firms must regularly conduct resilience testing, including penetration testing, to identify vulnerabilities in their systems.
5. Oversight of Third-Party Providers: Introduces stricter oversight of third-party ICT providers critical to financial services, including the potential for direct regulation of these providers by EU authorities.
6. Harmonization: Standardizes rules across EU member states to reduce regulatory fragmentation and ensure consistency.

How DORA Will Affect the UK

Since the UK left the EU in 2020, the act does not apply directly but since most financial markets operate across geographical borders, it is likely that many companies based in the UK will be required to follow suit. Here’s how:

1. UK Firms Operating in the EU: UK financial entities with operations or clients in the EU will need to comply with DORA for their EU activities. This includes adapting their cyber risk management frameworks and incident reporting mechanisms to align with DORA’s requirements.
2. Competitive Alignment: Even for UK-only operations, firms may voluntarily align with DORA standards to remain competitive and meet the expectations of international clients and partners.
3. Third-Party Providers: UK-based ICT providers serving EU financial institutions could come under DORA’s regulatory scope, potentially leading them to enhance their own operational resilience practices.
4. Regulatory Influence: While the UK has its own financial regulatory frameworks, such as the UK Financial Conduct Authority’s (FCA) operational resilience requirements, DORA may influence UK regulators to adopt similar or equivalent measures to maintain parity with EU standards.
5. Increased Costs and Compliance: UK firms interacting with the EU will likely face increased costs due to compliance with DORA, particularly around testing, reporting, and third-party oversight.
6. Global Standards Setting: DORA may set a benchmark for digital resilience globally, potentially influencing the development of similar regulations in the UK and other jurisdictions.

What Next?

In summary, while DORA directly applies to EU entities, its implications will ripple into the UK due to the interconnected nature of financial services, encouraging alignment or adaptation in areas such as operational resilience, incident reporting, and oversight of critical third-party providers.

In order to understand the scope, and work out a roadmap for compliance, it is advisable to conduct a gap analysis. Here at 3B Data Security, we can help you with this and help navigate the complexity of working with an EU requirement within the UK.

Conduct a Gap Analysis and Implementation Plan

• Gap Analysis: Compare current practices against DORA’s requirements to identify areas needing improvement.
• Roadmap: Develop a clear timeline for addressing gaps, prioritizing critical areas like third-party risk management and incident reporting.
• Progress Reviews: Regularly review your implementation plan to ensure milestones are met before the January 2025 deadline.

By taking these steps, we can help you proactively prepare for DORA, and assist in mitigating risks of non-compliance, improving resilience, and enhancing trust with regulators, clients, and stakeholders.

Get in touch with us today to find out more about our DORA consultancy services, and how we can help your organisation achieve compliance.