DORA Regulation - Digital Operational Resilience Act

Q: Who does DORA apply to?

DORA applies to a wide range of financial entities including banks, insurance companies, investment firms, payment service providers, electronic money institutions, crypto-asset service providers, and ICT third-party service providers.

Q: What are the key requirements of DORA?

Key requirements of DORA include: ICT Risk Management - Entities must have robust frameworks for managing ICT risks. Incident Reporting - Entities must report significant ICT-related incidents to the relevant authorities. Digital Resilience Testing - Regular testing of ICT systems to identify vulnerabilities. Third-Party Risk Management - Ensuring that third-party service providers meet ICT risk management standards. Information Sharing - Promoting information sharing among financial entities regarding cyber threats.

Q: When does DORA come into effect?

DORA is expected to come into effect on January 17, 2025. Entities within its scope will need to comply with the regulation by this date.

Q: How does DORA impact financial entities?

Financial entities will need to enhance their ICT risk management frameworks, conduct regular digital resilience testing, report significant incidents, and ensure that their third-party providers comply with DORA requirements. This will likely involve changes in policies, procedures, and possibly the implementation of new technologies.

Q: What are the penalties for non-compliance with DORA?

Non-compliance with DORA can result in significant penalties, including fines and other enforcement actions by regulatory authorities. The exact penalties will depend on the severity of the non-compliance and the specific provisions violated.

Is your financial institution prepared for the Digital Operational Resilience Act (DORA) regulation?

DORA aims to strengthen the security posture of the European Union’s financial sector by imposing specific technical standards on a wide range of financial institutions and entities, including banks, insurance companies, and investment firms, as well as their critical third-party information communication technologies (ICT) providers. 

Covered entities must be in compliance with DORA by January 17, 2025.

In this article:

Understanding DORA Regulation
Axiom: Your Partner in DORA Compliance
DORA Regulation FAQ
Regulatory & Compliance Lawyers for Financial Services

In need of experienced counsel that can navigate the DORA requirements?

At up to 50% lower rates than law firms, Axiom can help you find & engage the right regulatory, commercial, and compliance lawyers with the relevant knowledge and experience to seamlessly navigate the EU’s new DORA requirements and ensure compliance.

90% of clients rate Axiom lawyers as equal to or better than lawyers from a law firm.

* Required

As banks and other financial entities have grown increasingly dependent on technology, they’ve become more vulnerable to cyberattacks. If not adequately managed, these risks can potentially disrupt financial services across national borders and eventually impact other companies, sectors, and even the entire economy.

Before DORA, European Union (EU) member states issued their own risk management rules, creating a regulatory patchwork that was difficult for financial institutions to navigate. By standardising these rules, DORA seeks to address the gaps, overlaps and conflicts that could arise between disparate regulations in different member states. 

What Entities are Subject to DORA Requirements?

DORA applies to a broad range of financial institutions and entities, including those headquartered in European Union member states and non-EU organizations operating within the European market, such as:

Banks
Payment institutions
Electronic money institutions
Investment firms
Insurance and reinsurance companies
Credit rating agencies
Crypto-asset service providers (CASPs)
Crowdfunding service providers
Managers of alternative investment funds (AIFMs)
UCITS management companies

DORA also applies to critical ICT third-party providers that European Union regulators consider to be “critical,” such as:

Cloud computing providers
Data center operators
Software vendors
Data analytics firms

What Does DORA Require?

DORA establishes technical requirements across five pillars:

ICT Risk Management and Governance: An organisation's leadership—including board members, executives, and senior managers—must establish and implement effective risk management strategies and stay up-to-date on the ICT risk landscape. They may be held personally liable for non-compliance.
Incident Response and Reporting: Covered entities must establish systems for monitoring, managing, logging, classifying and reporting ICT-related incidents. Specific reporting requirements depend on the severity of an incident.
Digital Operational Resilience Testing: Covered entities must test their ICT systems regularly to assess the strength of their protections and identify ‌vulnerabilities. Testing results and plans for addressing any vulnerabilities must also be reported to the relevant authorities.
Third-Party Risk Management: Financial firms are expected to actively manage ICT third-party risks. When contracting with such providers, they must negotiate specific provisions regarding exit strategies, audits and performance targets for accessibility, integrity and security. Critical ICT third-party providers will be subject to oversight from relevant European Supervisory Authorities, or ESA’s.
Information and Intelligence Sharing: The final pillar of DORA promotes sharing information and intelligence related to cyber threats and vulnerabilities among organizations.

While not required, DORA also encourages entities to participate in voluntary threat intelligence-sharing arrangements.

DORA will place a significant compliance burden on financial entities operating in the European Union at a time when many corporate law departments face considerable budgetary and headcount pressure.

Axiom can help both financial entities and ICT providers.

With access to an international network of more than 14,000 high-caliber legal professionals throughout the world, Axiom can connect your organisation with one or more regulatory, commercial and/or compliance lawyers with the relevant knowledge and experience to seamlessly navigate the complex requirements imposed by DORA.

Regulatory Compliance Advisory: Provide comprehensive guidance on interpreting and adhering to DORA requirements.
Implementation Support: Assist with developing and implementing a risk mitigation strategy, testing protocols, and incident report and response systems.
Contract Negotiation and Compliance Support: Draft and negotiate contracts/amendments with third parties and monitor/manage risks.
Training and Education: Playbook creation to leverage when educating leadership on the new requirements and their obligations under DORA.

Why Choose Axiom?

Partnering with Axiom ensures you never have to compromise your highest standards. 

Just 3% of lawyers who apply are eventually hired by Axiom, and only after undergoing an intensive interview and background check process that requires the submission of at least three references from past supervisors. Those who make the cut average 15 years of experience, including tenures at Fortune 500 and Am Law 200 firms. Many are graduates of a U.S. News & World Report Top 50 Law School.

This deep bench of legal talent allows us to tailor engagements to your specific needs. Axiom lawyers are available full- or part-time and for long-term or short-term assignments, either onsite or from a remote location. While your team will be responsible for supervising their work, we’ll partner with you throughout the onboarding process to ensure they’re fully meeting your expectations from day one.

What is the DORA Regulation?

The Digital Operational Resilience Act (DORA) is a regulation established by the European Union to ensure the operational resilience of digital services within the financial sector. It aims to harmonise the management of ICT risks across the EU and enhance the resilience of financial entities to cyber threats. DORA introduces a comprehensive oversight framework for critical ICT, involving key regulatory bodies such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA).

Who does DORA apply to?

What are the key requirements of DORA?

Key requirements of DORA include:

ICT Risk Management: Entities must have robust frameworks for managing ICT risks.
Incident Reporting: Entities must report significant ICT-related incidents to the relevant authorities.
Digital Resilience Testing: Regular testing of ICT systems to identify vulnerabilities.
Third-Party Risk Management: Ensuring that third-party service providers meet ICT risk management standards.
Information Sharing: Promoting information sharing among financial entities regarding cyber threats.

When does DORA come into effect?

How does DORA impact financial entities?

What are the penalties for non-compliance with DORA?

How can financial entities prepare for DORA?

Entities can prepare for DORA by:

Conducting a gap analysis to identify areas where their current ICT risk management practices do not meet DORA requirements.
Developing a comprehensive ICT risk management framework.
Implementing robust incident reporting and response procedures.
Conducting regular digital resilience testing.
Ensuring that third-party service providers comply with DORA standards.

Who can I contact for further assistance?

DORA Regulation - Digital Operational Resilience Act

Get in Touch With Axiom

Understanding DORA Regulation

What Entities are Subject to DORA Requirements?

What Does DORA Require?

Axiom: Your Partner in DORA Compliance

Why Choose Axiom?

DORA EU Regulation FAQ

Ready to Connect with Axiom?

Some of our Regulatory & Compliance lawyers experienced in Financial Services Compliance & Regulation