Digital Operational Resilience Act (DORA)
The financial sector has, in recent years, become increasingly reliant on information and communications technology (ICT) systems and on information in digital form to deliver financial services, such that it is now of critical importance to the operation of daily functions.
As the sector’s dependency on ICT has increased, so too has its vulnerability to cyber risk – which can not only impact the financial entity in question but also, due to the interconnectedness of the industry, impact other financial entities, sectors and even the wider economy. In response, the EU’s Digital Operational Resilience Act (DORA) has entered into force.
By 17 January 2025, financial entities and ICT third party service providers (ICT TPPs) will need to be compliant with DORA’s extensive requirements.
A key aspect of DORA is the requirement for financial entities to include certain contractual provisions in ICT service contracts entered into with ICT TPPs. Our experienced team of digital and sourcing lawyers are helping organisations with their contract remediation efforts. Please do contact us to find out how we can help you.
Frequently asked questions
DORA is a comprehensive framework addressing the digital operational resilience needs of financial entities and establishing an oversight framework for ICT TPPs designated as ‘critical’ within the EU financial sector.
DORA consolidates and upgrades ICT risk management, creating uniform requirements for the security of network and information systems supporting business processes of financial entities.
DORA will apply across the EU single market and is directly applicable to:
- A wide range of EU financial entities.
- ICT TPPs designated as ‘critical’ (including those that are based outside of the EU providing services to financial entities) (CTTPs).
Whilst DORA will not apply directly to financial services firms in the UK, multi-national/UK financial services groups with EU operations will need to ensure that those financial entities are DORA compliant.
Each CTTP is subject to direct oversight by a European Supervisory Authority (“ESA”). The oversight framework provides the relevant ESA with broad powers, including the ability to request information and carry out inspections and investigations to assess whether a CTTP has in place comprehensive, sound and effective rules, procedures, mechanisms and arrangements to manage ICT risk it poses to financial entities.
Digital Operational Resilience Act timeline
Key dates and supplementary guidance for implementation.
DORA voted in the European plenary session.
DORA enters into force - two year implementation period.
ITS to establish the templates of register of information (Date of final draft report:10 January 2024)
Delegated act on criteria for designating critical ICT service providers (Adopted: 22 February 2024)
RTS on the policy regarding contractual arrangements on the use of ICT services (Adopted: 13 March 2024)
RTS on criteria for classification of ICT-related incidents (Adopted: 13 March 2024)
RTS on ICT risk management framework and simplified framework (Adopted: 13 March 2024)
RTS on composition of joint examination team (Date of final draft report: 17 July 2024)
RTS on harmonisation of oversight conditions (Date of final draft report: 17 July 2024)
Guidelines on cooperation of ESAs and competent authorities re. DORA oversight (Date of final report: 17 July 2024)
Guidelines on estimation of aggregated costs / losses caused by major ICT-related incidents (Date of final report: 17 July 2024)
RTS specifying elements of threat-led penetration testing (Date of final draft report: 17 July 2024
RTS and ITS on reporting details for major ICT-related incidents (Date of final draft report: 17 July 2024)
RTS on major ICT-related incidents and significant cyber threats reporting (Date of final draft report: 17 July 2024)
RTS on sub-contracting ICT services supporting critical or important function (Date of final draft report: 26 July 2024)
DORA applies to in-scope firms.
Five pillars of DORA
DORA’s requirements are comprehensive and fall into five broad key pillars, as indicated below. Each pillar has extensive requirements which need to be implemented by financial entities by 17 January 2025.
Financial entities must establish an ICT risk management framework (including procedures, strategies and policies) as well as frameworks related to governance and controls.
Financial entities must establish and implement an ICT-related incident management process (includes detection, management and reporting).
Financial entities must regularly test their digital operational resilience with certain entities required to perform advanced threat led penetration testing for critical functions.
Financial entities must comply with certain requirements related to its use of third-party service providers. A key element of this is the ICT contract remediation requirement, an area which is directly relevant to the legal function and where our experienced team at Browne Jacobson can assist you.
Financial entities should be on the front foot in exchanging cyber threat information and intelligence amongst themselves. This includes indicators of compromise, tactics, techniques, and procedures, cyber security alerts, and configuration tools.
DORA’s requirements are comprehensive and fall into five broad key pillars, as indicated below. Each pillar has extensive requirements which need to be implemented by financial entities by 17 January 2025.
Financial entities must establish an ICT risk management framework (including procedures, strategies and policies) as well as frameworks related to governance and controls.
Financial entities must establish and implement an ICT-related incident management process (includes detection, management and reporting).
Financial entities must regularly test their digital operational resilience with certain entities required to perform advanced threat led penetration testing for critical functions.
Financial entities must comply with certain requirements related to its use of third-party service providers. A key element of this is the ICT contract remediation requirement, an area which is directly relevant to the legal function and where our experienced team at Browne Jacobson can assist you.
Financial entities should be on the front foot in exchanging cyber threat information and intelligence amongst themselves. This includes indicators of compromise, tactics, techniques, and procedures, cyber security alerts, and configuration tools.
What should financial entities and ICT TPPs be doing now?
- Understand the extent to which the financial entity falls within scope of DORA and ensure DORA’s requirements are understood.
- Establish and/or amend all policies, processes, procedures and frameworks to meet DORA’s requirements by 17 January 2025.
- From a contractual remediation perspective, by 17 January 2025:
- identify and map ICT TPPs and contractual arrangements (including intra-group) to each financial entity (categorising those which support critical or important functions),
- collate existing contracts with ICT TPPs,
- engage with ICT TPPs, and
- amend ICT TPP contracts in line with DORA requirements.
- Pro-actively prepare for financial entities amending existing contractual terms, which may include ICT TPPs issuing their own standard amendment documentation to financial entities.
- Consider whether a CTTP designation is likely, and if so, understand actions needed to be taken to comply with DORA.
Contact our team
Rowan Armstrong
Partner
Alex Mason
Partner
