Preparing for DORA

The Digital Operational Resilience Act (DORA) entered into force for EU-registered firms in January 2023. 

Giving firms two years to implement, DORA’s scope is wide-ranging and will create business and consumer value and enhance resilience to firms, customers, and the market. 

It requires firms to create a framework that combines Operational Risk, IT Risk, Operational Resilience, Third-Party Risk Management and Cyber Risk to ensure the resilience of technology services across the customer and distribution chain.
 
Significant business value can be gained by firms implementing DORA:

• Greater customer and consumer protection is ensured by more resilient and therefore, reliable services
• Stronger value chain resilience and recoverability will lead to enhanced firm reputation
• DORA will break down silos between Technology and Risk, with far-reaching advantages to firms harmonising the capability of these functions
• Firms can improve efficiency, resilience, and operational effectiveness through combined implementation view of DORA, Operational Resilience and Third-Party Risk Management regulations
• Open information sharing will create greater awareness of threats and resilience risks to firm, market, customers, and consumers

A great starting point to realise these benefits, is to undertake a preparedness review.  

The preparedness review should include:

• Rules mapping to identify in-scope requirements and delivery efficiencies between DORA, Operational Resilience and Third-Party Risk
• A traceability matrix which translates those rules to artefacts and outputs
• A gap analysis aligning the requirements to your current capabilities
• Integration points with operational risk, operational resilience, and third-party risk management
• A transformation roadmap which includes a strategy for prioritising required investments