The European Commission published a legislative proposal for a regulation on Digital Operational Resilience in the EU financial services sector ("DORA") back in September 2020. In parallel, the Bank of England (BoE), the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) have published new policies that set out requirements for regulated entities in relation to outsourcing and operational resilience.
The DORA proposal was designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations.
Importantly, in line with the UK regulators' recently introduced Outsourcing and Third-Party Risk Management (OTPRM) policy, the proposal also introduces an oversight framework for critical third-party providers, such as cloud service providers.
What's the main aim of DORA?
DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other digital risks. The proposed legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats.
What sectors does DORA apply to?
DORA covers an extensive range of financial services sectors including:
|Consumer and business lenders|
|Payment providers and electronic money institutions|
|Investment & Asset Management firms|
|Crypto-asset service providers|
|Central securities depositories|
|Trading venues and trade repositories|
|AIFMs and management companies|
|Data reporting service providers|
|Insurance and reinsurance undertakings and intermediaries|
|Institutions for occupational retirement pensions|
|Credit rating agencies|
|Statutory auditors and audit firms|
|Administrators of critical benchmarks|
|Crowdfunding service providers|
What is the DORA rollout plan?
Although DORA is still being reviewed and currently in the draft stage, in-scope financial entities are advised to start familiarising themselves with the vast range of proposed requirements. This proposal will now have to be negotiated by the European Parliament and European Council.
The final regulations are expected to be published towards the end of 2022, with a date of compliance and additional technical standards 12-18 months later.
How FourthLine can help:
FourthLine is working with a number of financial service firms to help them with Operational Resilience enablement and Outsourcing and 3rd-Party Risk Management, through a mixture of end-to-end consulting and resourcing options.
Download our Outsourcing and Third-Party Service Deck here now>
To read our new Operational Resilience Technical paper, click here>