The Digital and Operational Resilience Act (DORA), is a new Regulation that introduces new powers for the European Supervisory Authorities (ESAs) towards Critical ICT Third-Party service providers to individually monitor the risks deriving from the dependence of financial entities on ICT service providers. ICT Third-party service providers (TPP) will be considered critical, and therefore subject to individual regulatory oversight, based on predefined criteria or opting-in on a voluntary basis.
DORA was introduced on 15 January 2023 with a two-year period of adherence. By January 2025, organisations in scope will have to be in a position to meet the requirements of the Regulation. Such requirements would include.
Enhancing and streamlining financial entities’ conduct of operational risk management including operational resilience.
Increase supervisors’ awareness of cyber risks and ICT-related incidents faced by financial entities.
Establish a thorough testing of ICT systems and resilience.
Introduce powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers.
DORA takes a Proportionality-based approach to best tailor and properly design the DORA rules, based on the size, business complexity, and risk profile of financial institutions. However, some directives will be systematically required for financial entities not qualifying as micro-enterprises or only financial entities identified as significant.
The Regulation will bring Convergence with existing guidelines to provide consistent unified guidelines aligned with EU policy relying on existing EBA/EIOPA guidelines and outsourcing regulatory frameworks, to enable addressing operational risks in a consistent way and reduce compliance burden and costs. This approach will be supported by High-level Directives using Principle-based guidelines, that will be technology agnostic to be applicable to all financial institutions, and adaptable and flexible in the context of changing environment. DORA will thus provide Holistic guidelines to empower the operational resilience risk function across the entire organization, from business strategy to operational processes and external providers.
DORA will be a seismic shift in the market, not only for Financial Services but also for third-party providers in ICT for example. Key impacts include:
Harmonization of key elements of relationships with ICT third-party service providers throughout all stages of contractual arrangements
Standard contractual clauses will be required to contain a complete description of services.
Third-party service providers designated as critical (CTPPs) by the ESAs, should be subject to an oversight framework. The ESAs designated as lead overseers should ensure that each such CTPP is adequately monitored.
To meet the requirements of DORA, it would be suggested that now is the time to assess where your organisation stands in terms of compliance with the new standard.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.