Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a new Regulation which aims to reduce the risk of cyber threats in the financial sector through the enhancement of technology and cyber risk management and resilience.

What are the key dates?

In December 2022, the Digital Operational Resilience Act was published in the Official Journal of the European Union and was enacted into law in January 2023. Organisations will have until 17 January 2025 to be able to demonstrate compliance with the Act.

What organisations does DORA apply to?

DORA applies to a wide range of organisations that collectively fall under the scope of “Financial Entities”, as defined in Article 2 of the regulation. These include insurance intermediaries, reinsurance intermediaries, credit institutions, investment firms and insurance and reinsurance undertakings.

In addition to financial entities, DORA will also apply to ICT third-party service providers, particularly those who provide ICT services that support critical or important functions of financial entities and those deemed as critical by the European Supervisory Authority.

Central Bank of Ireland guidance

DORA is supported by several guidance documents issued by the Central Bank of Ireland, including guidance on outsourcing and IT and cybersecurity. Most applicably, in December 2021 the Central Bank of Ireland published the “Cross Industry Guidance on Operational Resilience”. Organisations in scope are expected to be able to demonstrate compliance with the guidance by December 2023. By complying with this guidance, organisations are putting in place the first steps towards compliance with DORA.

What are the consequences of non-compliance?

Whilst DORA does not specify fines or other criminal sanctions for non-compliance with the regulation, EU member states are free to provide for criminal sanctions for breaches of DORA in their national law. As such, the regulation departs from the approach of the General Data Protection Regulation (GDPR) and the amended Network and Information Security 2 (NIS-2) regulation. Currently, under the Central Bank of Ireland’s Administrative Sanctions procedure, it may impose sanctions on regulated firms and individuals.

What are the requirements of DORA?

DORA has defined 5 key pillars for compliance:

What is the impact on your organisation?

The impact on your organisation will vary depending on the level of effort your organisation has put in place to date to improve operational resilience.

What should you do?

We recommend that organisations develop an operational resilience management system that allows them to easily demonstrate compliance with DORA.

An initial step will require organisations to conduct a gap analysis between their current state environment and the requirements set out in DORA. This will then allow the organisation to identify the current gaps in compliance and priority areas of focus.

The highest level of management within the organisation should work to ensure that they understand the risks associated with a lack of sufficient controls in operational resilience, they should sign off on an operational resilience strategy and receive updates on the organisation's progress towards an improved future state. This strategy should be given sufficient resources to ensure that the controls are successfully embedded and benefit the organisation.

Organisations should start implementing the requirements of DORA, this will require the identification of a business owner, allocation of resources, conducting a gap analysis and developing a roadmap to compliance.

How can Forvis Mazars help?

Forvis Mazars can support your business to prepare for and maintain compliance with DORA. This includes our ability to support you with the following: