In this article, we will summarise what DORA is and what financial institutions need to be aware of before it applies. At the end of the article, we provide a link to more detailed resources on DORA we have prepared.

What is DORA? 

DORA is a new law introduced by the European Union (EU) to ensure that financial entities can withstand, respond to, and recover from various ICT-related disruptions and threats. DORA is designed to enhance the digital resilience of the EU financial sector, ensuring it remains stable and secure in an increasingly digital landscape.

What is the purpose of DORA? 

The primary purpose of DORA is to strengthen the digital operational resilience of EU-regulated financial institutions. By implementing DORA, the EU aims to mitigate the risks associated with ICT disruptions and cyber threats, thus protecting the financial system's integrity and stability. DORA seeks to: 

1. Ensure that financial entities can manage and withstand ICT disruptions
2. Improve the overall cybersecurity posture of the financial sector
3. Establish a harmonised regulatory framework for digital operational resilience across the EU

Who does DORA apply to?

DORA applies to a very broad range of EU-regulated financial entities (as set out in Article 2 of DORA). This includes banks, insurance companies, investment firms, payment service providers, and other financial institutions. Entities must adhere to its requirements to avoid penalties and ensure they can continue operating within the EU's financial market. 

DORA also creates an oversight framework for critical ICT service providers (these service providers are designated as critical under Article 31 of DORA). 

Although DORA will not apply in the UK, it will still be relevant for many UK-based financial entities with operations in the EU (e.g., EU-regulated affiliates) and UK ICT service providers who offer services to financial entities in the EU.

What are the five pillars of DORA?

DORA is built upon five pillars that outline the core focuses for financial entities to achieve digital operational resilience. Around each pillar DORA sets out very prescriptive requirements. In summary, these pillars are: 

1. ICT risk management: Financial entities must implement robust ICT risk management frameworks to identify, assess, and mitigate ICT-related risks effectively
2. ICT incident management and reporting: Entities must establish mechanisms for identifying, classifying and, where required by DORA, reporting ICT-related incidents to the relevant authorities
3. Digital operational resilience testing: Regular testing of ICT systems and processes is mandated to ensure they can withstand disruptions and cyber threats
4. Third-party risk management: Financial institutions must manage risks associated with their reliance on third-party ICT service providers, ensuring these providers meet the necessary resilience standards; this pillar also mandates, among other things, certain provisions that must be included in financial entities' agreements with third-party ICT service providers
5. Information sharing: DORA encourages financial entities to share information on cyber threats and vulnerabilities to foster a collaborative approach to improving the sector's resilience

Preparing for DORA 

DORA is a complex regulation with exacting requirements, requiring many organisations to undertake a significant amount of work by 17 January 2025. Financial institutions must undertake a gap analysis of their current ICT risk management framework against DORA and execute a robust implementation plan. Among other things, financial institutions may need to remediate their contracts with ICT third-party service providers to meet the contracting requirements of DORA – for some organisations, this will be a significant exercise.

We can advise on the requirements of DORA and help you put strategies in place to achieve compliance. Find out more about DORA and how we can help you prepare.