DORA (Digital Operational Resilience Act) is EU regulation requiring financial services firms to manage ICT risk, report incidents, test resilience, and oversee third-party providers. It applies from January 2025. If you're in financial services or provide ICT to them, you're likely affected.
Quick answer: DORA (Digital Operational Resilience Act) is EU regulation requiring financial services firms to manage ICT risk, report incidents, test resilience, and oversee third-party providers. It applies from January 2025. If you're in financial services or provide ICT to them, you're likely affected.
What DORA Is
DORA is the EU's regulation on digital operational resilience for the financial sector. It creates:
- Uniform ICT risk management requirements
- Incident classification and reporting obligations
- Digital operational resilience testing rules
- Third-party ICT risk management framework
Who DORA Applies To
Financial entities (direct scope)
- Credit institutions (banks)
- Investment firms
- Insurance and reinsurance companies
- Payment institutions
- Electronic money institutions
- Crypto-asset service providers
- Trading venues
- Data reporting service providers
- Fund managers
- Credit rating agencies
- Crowdfunding platforms
ICT third-party providers
- Cloud service providers to financial entities
- Software providers
- Data analytics services
- Critical ICT service providers
The Five Pillars
1. ICT Risk Management
Requirements:
- ICT risk management framework
- Governance and organisation
- Identification of ICT risks
- Protection and prevention measures
- Detection capabilities
- Response and recovery
- Learning and evolving
2. Incident Reporting
Requirements:
- Classify ICT-related incidents
- Report major incidents to regulators
- Specific timelines (initial within 24 hours, intermediate, final)
- Root cause analysis
- Lessons learned
3. Digital Operational Resilience Testing
Requirements:
- Regular testing of ICT systems
- Vulnerability assessments and scans
- Open source analysis
- Network security assessments
- Physical security reviews
- Threat-led penetration testing (for significant entities)
4. ICT Third-Party Risk Management
Requirements:
- Due diligence before contracting
- Contractual requirements
- Oversight and monitoring
- Exit strategies
- Register of third-party providers
- Concentration risk management
5. Information Sharing
Requirements:
- Participate in information sharing on cyber threats
- Share intelligence with other financial entities
- Contribute to sector resilience
UK Position
Post-Brexit: DORA is EU regulation. UK firms aren't directly subject to DORA.
But:
- UK firms with EU operations or clients must comply for those activities
- FCA and PRA have similar expectations (operational resilience rules)
- UK may adopt equivalent requirements
- Market pressure means DORA-level resilience becomes expected
Key Deadlines
January 2025: DORA applies in full
If you're not ready: Time is short.
Getting Compliant
Gap assessment
- Map current state against DORA requirements
- Identify gaps across all five pillars
- Prioritise by risk and effort
Framework development
- ICT risk management framework
- Incident response procedures
- Testing programme
- Third-party management processes
Implementation
- Technical controls
- Governance structures
- Operational procedures
- Documentation and evidence
Ongoing compliance
- Regular testing
- Incident management
- Third-party oversight
- Continuous improvement
How We Help
For financial services firms:
- DORA gap assessments
- ICT risk management framework development
- Resilience testing (vulnerability assessments, pen testing)
- Incident response capability
- Third-party risk management
- Understanding DORA expectations on you
- Contractual compliance
- Security controls to meet client requirements
- Evidence and reporting
---
about financial services cyber resilience.
---