DORA will impact you – it will be like GDPR all over again!!

I want to talk to you about DORA because it will be a hot topic next year [like GDPR but for financial services only], and you and your boards should be talking about it now, if not soon.

Briefing

• The up-and-coming EU Digital Operational Resilience Act (DORA) will have global implications [including Jersey!!] for the financial sector and supply chains.

1. How are non-EU organisations relevant to DORA?
1. The DORA, as an EU regulation, applies directly to EU-based entities.
2. However, if a non-EU financial institution operates within the borders of the EU, has a subsidiary in the EU, or a non-EU technology firm provides services to an EU-based financial institution, the DORA covers the institution and its supply chain. 
3. Furthermore, under the DORA, non-EU businesses that provide critical ICT services to EU financial institutions will be required to establish a subsidiary in the EU. 
2. DORA: What is it?

1. The Digital Operational Resilience Act (DORA) is a new European framework that embeds a more robust and resilient approach to delivering digital capabilities in Financial Markets.
2. The framework shifts the focus from guaranteeing firms’ financial soundness to ensuring they can maintain resilient operations through the severe operational disruption caused by cyber security and information and communication technology (ICT) issues.
3. By introducing a consistent supervisory approach across the relevant sectors, DORA ensures convergence and harmonisation of security and resilience practices across firms operating in the European Union (EU).

3. Why is DORA relevant?

1. DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU and the ICT infrastructure supporting them from outside the EU.
2. The regulation introduces specific and prescriptive requirements for all financial market participants, including (but not limited to) banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers.
3. DORA builds on previous industry-specific guidelines to define requirements around
   1. Consistent ICT risk management,
   2. Comprehensive resilience testing capabilities (including threat-led penetration testing); and
   3. Third-party risk management ensures consistent service provision across the entire value chain.

4. The five critical topics at the centre of DORA are:
   1. ICT Risk Management.
   2. Reporting on ICT-related Incidents.
   3. Digital Operational Resilience Testing.
   4. Management of Third-Party Risk; and
   5. Information and Intelligence Sharing.

5. The regulation is unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).

4. When will DORA be enforced?

1. DORA entered into force on 16th January 2023. With an implementation period of two years, financial entities will be expected to comply with the regulation by early 2025.

Would you like to learn more? CALL ME