DORA: What you need to know
5 min read 13 June 2024
New regulation can be hard to get your head around—especially when it’s as wide-ranging as DORA. Here’s everything you need to know about the new regulation.
What is DORA?
The EU’s Digital Operational Resilience Act (DORA) is the world's most expansive digital risk regulation for financial services firms and their supply chains. It ensures financial institutions can withstand, respond to, and recover from all types of ICT-related disruptions and threats. It takes a forward-looking approach to the increasing risks in ICT and cyber, so financial stability is upheld, and consumers protected.
Why is DORA important?
Complying with DORA is imperative for every financial institution with the EU.
Its heightened and deeper focus on digital risks enshrines targeted, qualitative requirements to strengthen control capabilities. In response, firms must enhance their technology and cyber resilience, improve their risk and control framework, and put ICT risks high on the agenda of boards and executive committees.
DORA also has complex and wide-ranging implications—far beyond the usual regulations that stretch into different jurisdictions. It aims to harmonise digital operational resilience for firms operating across multiple EU jurisdictions and simplify compliance efforts.
It also impacts businesses typically outside the scope of financial regulations, for example, third-party ICT service providers such as cloud service providers and data centres. And even though it’s an EU regulation, it impacts and includes those who might not be established in but provide services to financial firms within the EU. These third-party businesses face indirect exposure due to the obligations on financial entities to manage their third-party risk, and direct exposure where they’re designated as critical third parties (CTPs).
What does DORA mean for your firm?
DORA uplifts many existing rules and guidelines across the regulatory landscape to Europe’s financial market. It aims to ensure a consistency across the financial sector and defines specific guidelines across ICT risk management, resilience testing capabilities, and third-party risk management.
It focuses on five key areas:
- ICT risk management: DORA sets out clear guidelines for internal governance and ICT risk management. Financial entities are required to create internal structures that limit ICT risks.
- ICT third-party risk management: DORA also focuses on the management of risks stemming from services provided by ICT third parties. It includes monitoring third-party risk providers, key contractual provisions, and critical oversight.
- Digital operational resilience testing: The regulation includes provisions for basic and advanced resilience testing, ensuring a comprehensive approach to digital operational resilience.
- ICT-related incident management and reporting: There are general requirements for reporting major ICT-related incidents to competent authorities.
- Information sharing: DORA encourages the appropriate exchange of information and intelligence on cyber threats between entities to strengthen overall resilience for the financial sector.
When is DORA live?
DORA was enacted on 16 January 2023 and will apply as of 17 January 2025 with the oversight activities for European Supervision Authorities (ESAs).
How we see DORA
At Baringa, we see DORA as an opportunity; it’s a chance to master how you manage digital risk.
There’s no avoiding the fact that digital and cyber incidents are increasing in severity and frequency each year, but it’s how you adopt regulation like DORA that will make the difference to your organisation’s resilience. Adopting DORA enables you to map your critical business functions, control their associated risks and the services they underpin, and gives you the visibility needed to truly embed resilience. It’s only by understanding the risks and controls in your digital infrastructure that you can successfully accelerate the safe deployment of new technologies that’ll drive revenue, improve services, and provide better customer outcomes.
DORA is also just the beginning. Globally, regulators are placing increasing focus on operational resilience and cyber risk, and we expect to see a tidal wave of new regulation across the UK, US, and APAC in the next few years. But with DORA as your foundation, focusing on cyber risk and resilience now will set you up to seamlessly manage future regulatory interventions.
Need help with your DORA implementation?
We can help you define the proper scope and priorities for your DORA execution to get you fit for January and lay the foundation for beyond.
We don’t believe in one-size-fits-all solutions. We help you focus on the right details—whether that’s simplifying your network of third-party dependencies, fine-tuning your ICT risk frameworks, or developing your testing capability. We act as an extension to your team embedding resilience at the core of your organisation to protect your biggest assets. And when we leave our capabilities stay because we upskill your people to build sustainable solutions faster, keeping you ready for the next wave of risk and regulation.
Get in touch to see how we can turn DORA compliance into your firm’s competitive advantage
Our Experts
Related Insights
What's next for DORA?
For financial entities operating in the EU, the past year has been a sprint to the DORA compliance deadline—and the work isn’t over yet. We share our view on what's next.
Read moreCyber incident management: is your financial services firm ready?
Disruptive incidents are increasingly the norm. We outline three essential actions you must take to build your firm's risk readiness and resilience today.
Read moreYour roadmap for DORA day one compliance
With less than six months to go, the race to DORA compliance is on. Our day one roadmap identifies and prioritises critical actions you need to take within four of DORA's main pillars.
Read moreTurn DORA compliance into advantage
You might see it as a regulatory box-ticking exercise, but how you approach DORA could define a long-lasting approach that can significantly accelerate your response to other upcoming regulations.
Read moreRelated Client Stories
Delivering regulatory change for UK building society
How can a UK building society deliver regulatory change while ensuring a great customer experience?
Read moreKeeping large-scale capital investment on track
How do you independently assess the governance and maturity of a multi-billion program?
Read moreEquipping a UK building society to fight financial crime
How do you create a technology platform that can stay one step ahead of financial criminals?
Read moreUsing regulatory change as an opportunity to strengthen and rationalise internal controls
As UK regulators plan an Internal Controls and Governance directive, this major insurer seized the opportunity to achieve its long-term ambition.
Read moreAre digital and AI delivering what your business needs?
Digital and AI can solve your toughest challenges and elevate your business performance. But success isn’t always straightforward. Where can you unlock opportunity? And what does it take to set the foundation for lasting success?