DISCLAIMER: This post was last modified on 13 August 2024. Some information in this article may not be updated.

The Digital Operational Resilience Act (DORA) in the EU will take effect in January 2025. In this article, we explain the Act and present the insights of our experts into how entities can better prepare to comply with it in the few months before its enactment.

Frequently Asked Questions about the Digital Operational Resilience Act (DORA)

What is the DORA?

The Digital Operational Resilience Act, or DORA, is the EU’s framework for overseeing the risks associated with the financial sector’s reliance on information and communication technology (“ICT”) third-party service providers. Organisations must expect heightened supervision and stricter controls from the European Supervisory Authorities (“ESAs”).

Why is the EU implementing the Act?

• Identify ICT risks and improve digital resilience  
• Simplify the reporting of ICT incidents  
• Allow supervisors access to incident-related ICT information  
• Ensure the evaluation of preventive and resilience measures  
• Allow for the acceptance of testing results across borders  
• Regulate the monitoring of ICT third-party providers  
• Monitor critical ICT third-party service providers  

What does the Act cover?

The DORA covers most of the regulated financial institutions in the EU, including banks, insurance companies and intermediaries, investment companies, pension funds, crypto-asset service providers and fund managers. All financial institutions included in the scope of this regulation’s ICT infrastructure will be affected.  

Additionally, DORA will apply to businesses that fall under the “critical ICT third-party service providers” category, covering services like cloud computing, audit, software, data analytics and data centers.

When will this be effective?

The DORA entered into force in January 2023 and will apply from January 2025. Companies are encouraged to take a proactive approach and start preparing as early as possible for the operational and financial implications of the DORA framework.

What consequences of non-compliance with the DORA?        

Failure to comply with the DORA may result in financial fines. The maximum penalty that can be imposed is €10 million, or 5 per cent of the company’s total annual turnover, whichever is higher. Additionally, should a breach of the DORA also constitute a breach of the General Data Protection Regulation (GDPR), there could be further sanctions.

The amount of the fine will differ according to the regulator; however, the regulation stipulates that it must be proportional to the size of the business.

We have previously published articles on DORA, explaining the Act in detail:

• What is the Digital Operational Resilience Act? | Bolder Group  
• An Update on the EU’s Digital Operational Resilience Act (boldergroup.com)

Preparing for DORA compliance: Our Insights

Bolder Group’s experts provided their insights into the Act. David Payne, our Global Head of Governance, outlines the ideal governance structures in a DORA-compliant landscape and Adrian Mubangizi, our Global Head of Compliance, highlights the priority measures that institutions should take to prepare for DORA in the lead-up to its enactment.

How can institutions prepare to comply with the Act?

Adrian Mubangizi: To comply with DORA, institutions must begin by carefully understanding the scope and requirements of the regulation. This involves conducting a detailed gap analysis to identify areas where their current ICT risk management and operational resilience measures fall short. Institutions should then update or implement governance frameworks that clearly define roles and responsibilities for managing ICT risks at all levels. Additionally, strengthening cybersecurity protocols and developing strong incident response plans are crucial steps. These measures should be complemented by regular testing, including penetration tests, and continuous monitoring to ensure that systems are resilient and capable of withstanding potential threats or disruptions.

Institutions should also focus on third-party risk management, ensuring that all third-party ICT providers meet DORA’s resilience standards. This can also be achieved by updating contracts and SLAs to include specific resilience requirements. Institutions should also establish mechanisms for timely reporting of ICT-related incidents to regulators and internal stakeholders. Reporting ICT-related incidents to regulators is essential for DORA compliance, ensuring transparency and accountability while contributing to the mitigation of systemic risks in the financial sector. Additionally, sharing insights with industry peers promotes collaboration, harmonizes threat responses, and strengthens public-private partnerships, ultimately enhancing the resilience and stability of the broader financial ecosystem.

Finally, regular staff training and simulations are essential to prepare employees to respond effectively to disruptions. By engaging with regulators early and investing in innovative technologies, institutions can not only ensure compliance with DORA but also enhance their overall operational resilience in a rapidly evolving digital landscape.

What should they prioritise?

When it comes to DORA, financial services firms should prioritise establishing an ICT risk management framework that includes comprehensive cybersecurity measures and a well-defined incident response plan. This involves regular risk assessments (which will identify key vulnerabilities), continuous monitoring and extensive testing to ensure resilience against digital disruptions. Once these are ironed out, the management of third-party risks, requiring thorough due diligence and the inclusion of specific resilience requirements in contracts with service providers should be prioritised. For a comprehensive oversight, governance and accountability should be reinforced, with clear roles for senior management in overseeing digital resilience efforts. Finally, for operational efficiency, firms must also invest in employee training and advanced technologies to enhance resilience.

What mistakes should they avoid?

When implementing DORA, financial services firms should avoid several common mistakes to ensure meaningful compliance. One critical error is underestimating the scope and complexity of DORA’s requirements, leading to incomplete risk assessments and inadequate cybersecurity measures. Another mistake is neglecting third-party risk management, which can leave firms vulnerable if their service providers do not meet the required resilience standards. Firms should also avoid siloed approaches where different departments work in isolation, as this can undermine a cohesive and comprehensive implementation strategy. Additionally, insufficient training and awareness programs for employees can lead to gaps in operational resilience, making firms more susceptible to ICT-related disruptions. Finally, failing to establish clear governance structures with senior management accountability can result in weak oversight and poor decision-making, ultimately compromising the firm’s ability to comply with DORA effectively.

What is the ideal governance structure to meet DORA’s governance/compliance requirements?  

David Payne: Entities that would fall under DORA can keep their internal compliance/governance structure(s) and upgrade their policies/procedures for the same to be compliant. They should also ask any third-party service provider, to confirm their compliance with DORA.

How can we manage third-party risks effectively upon the enactment of DORA – both internally and for our clients?

David Payne: We have to make sure that all policies/procedures, systems, personnel (duly trained), etc., are equipped with the right tools/knowledge to meet the requirements of DORA

Bolder Group as your partner for your compliance needs

Bolder Group is your partner in navigating the complex regulatory landscape in the EU and beyond. We keep ourselves informed of the latest updates to the legislation so we can better assist our clients in staying ahead of the regulatory requirements and ensuring their entities’ sustainability. Amidst the changes that the DORA brings, our governance experts collaborate closely with our clients to establish robust governance frameworks for their structures, while our compliance professionals work with them to ensure full DORA adherence.

Ready to comply with the Act? Let’s discuss your business and requirements. Contact our team today. Governance – Bolder (boldergroup.com)

Bolder Group does not provide financial, tax or legal advice and the information contained herein is meant for general information purposes only. We strongly recommend that before acting on any of the information contained herein, readers should consult with their professional advisers. The Bolder Group accepts no liability for any errors or omissions in the information, or the consequences resulting from any action taken by a reader based on the information provided herein.

Bolder Group refers to the global network of independent subsidiaries of Bolder Group Holding BV. Bolder Group Holding BV provides no client services. Such services are provided solely by the independent companies within the Bolder Group which are each legally distinct and separate entities and have no authority (actual, apparent, implied or otherwise) to obligate or bind Bolder Group Holding BV in any manner whatsoever. The operations of the Bolder Group are conducted independently and have no affiliation with third party financial, tax or legal advisory firms or corporations.