DIGITAL OPERATIONAL RESILIENCE ACT (DORA)

BACKGROUND

The Digital Operational Resilience Act (DORA) which entered into force on 16 January 2023 and will apply from 17 January 2025 marks a significant shift in the regulatory landscape for financial entities within the European Union.

At its core, this new EU legislation seeks to make secure the outsourcing by financial entities of critical and important functions to cloud services providers and to develop an appropriate mechanism for the supervision of those information and communications technology (ICT) service providers – thereby strengthening the digital operational resilience of the financial sector in the face of cyber threats and other IT related operational disruptions.

In advance of DORA application, financial entities must determine whether they fall within the scope of the regulation, and if they do, what the applicable requirements are. Whilst in-scope entities will be advanced in their pre-implementation planning, this article provides a summary of the key areas financial entities need to focus on in order to prepare for DORA. 

SCOPE OF DORA

DORA applies to a wide range of financial entities regulated by the Central Bank of Ireland (CBI) at EU level including credit and payment institutions, electronic money institutions, investment firms, crypto asset service providers, central securities depositories, data reporting service providers, some insurance and reinsurance undertakings, crowdfunding service providers and also ICT third-party service providers.

DORA's UNIFORM REQUIREMENTS

To achieve a common level of operational resilience, DORA sets out uniform requirements for financial entities including to:

• establish an ICT risk management framework that facilitates identification of risks, ensures protective and preventative measures are in place, consistent risk detection is carried out on a regular basis, appropriate response and recovery plans are in place and mechanisms are in place to allow entities to learn and evolve from threats. 
• report major ICT related incidents to competent authorities and establish and implement a management process to monitor, log, classify and mitigate against ICT related incidents.
• conduct regular testing of ICT systems and processes to ensure digital operational resilience including threat-led penetration testing.
• monitor risks associated with reliance on third-party service providers.
• ensure that contracts with ICT third party providers contain all necessary monitoring and accessibility details such as a full-service level description, indication of locations where data is being processed, monitoring obligations, access rights, incident reporting, obligation to comply with DORA standards, exit strategies and subcontractor oversight. 
• ensure strong governance structures are in place to oversee ICT risk management including responsibilities at board level.
• ensure robust business continuity and disaster recovery plans are in place to ensure continuity of operations during disruptions and promote sharing of information with peers regarding cyber threats with a view to enhancing sector resilience.
• implement measures to protect sensitive data and ensure integrity of ICT systems.

DORA requirements are further specified in regulatory and technical standards (RTS and ITS) the development of which are co-led by the European Supervisory Authorities.

HOW TO COMPLY WITH DORA

While preparations are likely well underway by in-scope financial entities, we set out below a high-level summary of the steps that financial entities should take to comply with DORA by 17 January 2025:  

1. Governance and Regulatory Compliance: align organisational processes, structures, and planning with regulatory standards, engaging the Board of Directors and senior management.
2. Mapping: document current strategies, policies, and processes that manage ICT-related risks and clarify the roles and responsibilities of ICT-related functions.
3. DORA Risk Management Framework: Develop a risk management framework and classify and systematize DORA's requirements into measures, tools, and interdependent processes. 
4. GAP Analysis and Planning: conduct a gap analysis of existing ICT risk management practices and DORA requirements to identify professional or competence deficiencies needing uplift, before developing an action plan that bridges gaps identified, covering necessary structural and organizational changes to ensure full compliance.
5. Vendor Management: review and ensure contracts and subcontracts with ICT third party service providers are updated to comply with DORA so as to enhance accountability and ensure ICT services meet the necessary standards. Note: this includes incorporating provisions to ensure third, fourth and fifth-party ICT service providers are accountable.
6. Incident Response Planning and Testing: create or uplift incident response plans to ensure effective management of ICT related disruptions and conduct regular testing of ICT systems to test resilience and readiness.
7. Monitoring and Reporting: establish and maintain processes for continuous monitoring and improvement of ICT resilience practices, adapting to evolving risks and regulatory changes. 

CONCLUSION

DORA represents a significant step towards enhancing the resilience of the financial sector against ICT-related disruptions, though implementation brings with it increased regulatory compliance requirements.

If you need assistance or advice on DORA requirements or implementation before the January 2025 deadline contact Yvonne O'Byrne, Partner or your usual Beauchamps contact. 

Article written by Yvonne O'Byrne, Partner and Rachel Leavy, Trainee Solicitor