Navigating the DORA Regulation: A Comprehensive Guide for EU Financial Entities

Introduction:

On 27 December 2022, the Official Journal of the European Union published the Digital Operational Resilience Act (DORA) Regulation and Directive, ushering in a new era for EU-regulated financial entities. With DORA set to apply from 17 January 2025, organizations falling under its purview are gearing up for a transformative shift in their operational and risk management landscapes. While the initial buzz surrounding DORA focused on its quasi-regulation of third-party technology providers, the true impact for EU-regulated firms, especially financial institutions, extends far beyond.

Who Does DORA Affect?

If you're an EU financial entity, the answer is a resounding "probably." The scope of DORA includes a broad range of financial institutions such as credit institutions, payment providers, investment firms, crypto-asset service providers, insurance undertakings, and more. While some UK firms may find parallels in existing regulations, there are additional proposals for Critical Third Parties in the Financial Services and Markets Bill.

Key Requirements of DORA:

1. Governance and Risk Management:

• Introduces new governance structures and internal systems for managing ICT risk.

• Management bodies must define, approve, and oversee ICT risk management frameworks.

• Mandates the development of comprehensive and well-documented ICT risk management frameworks.

1. ICT Security:

• Requires financial entities to establish policies, procedures, and protocols ensuring the security, resilience, and continuity of IT systems.

• Continuous monitoring of ICT security with mechanisms to detect anomalies and potential failures.

1. Incident Reporting:

• Mandates reporting of major ICT-related incidents to relevant competent authorities.

• Initial notification requirements to be fulfilled on the same or next day using standardized reporting templates.

1. Testing:

• Imposes testing programs for IT systems and processes, with independent third-party testing for critical functions.

1. ICT Third-Party Service Providers:

• Designation of critical ICT third-party providers with oversight by European regulators.

• Financial entities can only use critical providers if they establish an EU subsidiary within 12 months.

Practical Steps for Compliance:

1. Scoping Exercise:

• Identify areas for remediation by conducting a GAP analysis of current governance and risk frameworks.

• Develop an implementation plan outlining how remediation will be achieved.

1. Contractual Requirements:

• Address contractual requirements for ICT service providers, aligning with EBA Guidelines on Outsourcing.

• Start early to avoid last-minute challenges in vendor contract compliance.

1. Engaging with Vendors:

• Identify existing vendors likely to be critical ICT third-party providers.

• Engage with them to determine EU subsidiary plans within the specified timeline.

1. Critical ICT Third-Party Service Providers:

• Cloud providers, in particular, should initiate scoping preparations and development of implementation plans.

Conclusion:

DORA marks a significant milestone in the regulatory landscape for EU financial entities. As the implementation deadline approaches, organizations must proactively embrace the necessary changes in governance, risk management, and relationships with third-party providers to ensure a seamless transition to the new regulatory era. The comprehensive approach outlined here is designed to guide financial entities through the practical steps needed to navigate and comply with the DORA requirements effectively.