The financial industry primarily depends on technology and tech businesses to efficiently provide financial services. As a result, financial firms are more exposed to incidents like cyberattacks. ICT risks that are not appropriately managed can affect other companies, industries and even the economy in general. This highlights the significance of the financial sector’s digital operational resilience.  

The EU’s Digital Operational Resilience Act (DORA) came into force on 16 January 2023 and is expected to significantly affect the regulated funds market when it applies on 17 January 2025. This new rule aims to improve digital operational resilience, reduce risks and harmonise cybersecurity of the financial industry across the EU.  

What does the DORA cover?

• ICT risk management – An effective, comprehensive, well-documented framework that sets principles and requirements for ICT risk management.  
• ICT third-party risk management – Control ICT third-party risks and oversee crucial third-party risk providers.   
• Digital operational resilience testing – Robust and extensive testing plans to ensure digital operational resilience, including advanced testing.  
• ICT-related incidents – An incident management process to identify, control and notify major ICT-related incidents to the appropriate authorities.  
• Information sharing – Exchange of information and intelligence about cyber threats through agreements that safeguard the potentially sensitive nature of the shared data.  
• Oversight of critical third-party providers – Oversight framework for ICT third-party providers designated by European Supervisory Authorities (ESAs) as vital to the financial sector.  

The Act covers the financial sector and service providers within the EU, as well as companies and other entities outside the EU that offer services or transact business with any EU financial market participants.  

A wide range of financial entities are affected, including central securities depositaries, credit and payment institutions, trading venues and several kinds of service providers. However, insurance intermediaries, natural or legal persons and managers of alternative investment funds are exempt from DORA.  

Timeline

Third-party service providers: considerations and compliance

Asset managers who depend on service providers must adapt their outsourcing procedures to adhere to DORA for essential functions. Some of the considerations include conducting due diligence with the third-party service provider. It is critical to comprehensively evaluate its risk management procedures, DORA compliance and ICT security measures. Contractual safeguards are also essential to consider. Service provider contracts must specify what is expected of them regarding DORA compliance. Moreover, asset managers must consistently monitor their service providers’ compliance with DORA regulations. 

On the other hand, financial market participants should take careful steps to ensure their third-party service providers comply with the DORA. These include asking for documentation, conducting audits and using financial regulators’ guidance to learn how to deal with third-party DORA risks. 

Penalties for non-compliance with the DORA

Failure to comply with the DORA may result in financial fines. The maximum penalty that can be imposed is €10 million, or 5 per cent of the company’s total annual turnover, whichever is higher. Additionally, should a breach of the DORA also constitute a breach of the General Data Protection Regulation (GDPR), there could be further sanctions. 

The amount of the fine will differ according to the regulator; however, the regulation stipulates that it must be proportional to the size of the business. 

Bolder solutions

Companies can achieve DORA compliance without completely changing their current procedures by improving their governance structures and utilising GDPR initiatives. In this constantly evolving regulatory environment, our experts at Bolder Group can help market actors adapt, improve and comply with new policies. 

We help businesses manage risks, combat financial crimes and fraud and satisfy evolving customer expectations by leveraging cutting-edge technology, in-depth regulatory knowledge and industry expertise.  

Get in touch with our team to discuss your compliance needs and learn more about our services.  

Bolder Group does not provide financial, tax or legal advice and the information contained herein is meant for general information purposes only. We strongly recommend that before acting on any of the information contained herein, readers should consult with their professional advisers. The Bolder Group accepts no liability for any errors or omissions in the information, or the consequences resulting from any action taken by a reader based on the information provided herein.

Bolder Group refers to the global network of independent subsidiaries of Bolder Group Holding BV. Bolder Group Holding BV provides no client services. Such services are provided solely by the independent companies within the Bolder Group which are each legally distinct and separate entities and have no authority (actual, apparent, implied or otherwise) to obligate or bind Bolder Group Holding BV in any manner whatsoever. The operations of the Bolder Group are conducted independently and have no affiliation with third party financial, tax or legal advisory firms or corporations.