Digital Resilience for Financial Services Firms | What is DORA?

The European Commission published a legislative proposal for a regulation on Digital Operational Resilience in the EU financial services sector ("DORA") back in September 2020. In parallel, the Bank of England (BoE), the Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA) have published new policies that set out requirements for regulated entities in relation to outsourcing and operational resilience

The DORA proposal was designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements throughout the financial sector to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations.

Importantly, in line with the UK regulators' recently introduced Outsourcing and Third-Party Risk Management (OTPRM) policy, the proposal also introduces an oversight framework for critical third-party providers, such as cloud service providers.

What's the main aim of DORA?

DORA aims to ensure that all participants in the financial system have the necessary safeguards in place to mitigate cyber-attacks and other digital risks. The proposed legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. 

What sectors does DORA apply to?

DORA covers an extensive range of financial services sectors including:

Consumer and business lenders
Payment providers and electronic money institutions
Investment & Asset Management firms
Crypto-asset service providers
Central securities depositories
Central counterparties
Trading venues and trade repositories
AIFMs and management companies
Data reporting service providers
Insurance and reinsurance undertakings and intermediaries
Institutions for occupational retirement pensions
Credit rating agencies
Statutory auditors and audit firms
Administrators of critical benchmarks
Crowdfunding service providers
Securitisation repositories

What is the DORA rollout plan?

Although DORA is still being reviewed and currently in the draft stage, in-scope financial entities are advised to start familiarising themselves with the vast range of proposed requirements. This proposal will now have to be negotiated by the European Parliament and European Council.

The final regulations are expected to be published towards the end of 2022, with a date of compliance and additional technical standards 12-18 months later.

How FourthLine can help:

FourthLine is working with a number of financial service firms to help them with Operational Resilience enablement and Outsourcing and 3rd-Party Risk Management, through a mixture of end-to-end consulting and resourcing options.

Download our Outsourcing and Third-Party Service Deck here now>

To read our new Operational Resilience Technical paper, click here>

Topics: Insider, Featured, Insurance, operational resilience, Third Party Risk Management, consultingservice, investment firms

May 20, 2022
Talk to an expert

Jakes de Kock
Written by Jakes de Kock