DORA is a draft regulation published by the European Commission in September 2020 and forms part of the European Commission’s wider Digital Finance Strategy to support the development of digital finance while mitigating associated risks. The legislative proposal builds on existing information and communications technology (ICT) risk management requirements already developed by other EU institutions and ties together several recent EU initiatives into one Regulation to create a harmonized approach across the EU, regulators and financial services industry.
DORA will apply to a wide range of financial entities, including credit institutions, electronic money institutions, investment firms, insurance undertakings and re-insurance undertakings. Importantly, DORA will also result in critical ICT third party providers, including cloud service providers formally coming within the scope of supervision by the European Supervisory Authorities for the first time. Significant penalties can also be imposed on the ICT service provider by the Lead Overseer for non-compliance. A periodic penalty payment of 1% of the average daily worldwide turnover of the ICT service provider in the preceding business year can be applied by the Lead Overseer on a daily basis until compliance is achieved for no more than a period of six months.
DORA is due to impose a range of ICT-related requirements on financial entities. The key requirements include:
Financial services organisations should assess if their current frameworks and processes meet the expanded regulation and plan accordingly to respond to the key areas.
DORA is currently progressing through the EU’s ordinary legislative procedure and is likely to be subject to some change before it is finalised and comes into law. The final version of DORA is expected in the next 18 to 24 months. In the interim, it is important for financial entities and ICT service providers to be aware of the significant change in regulatory requirements around operational resilience that is likely to be introduced by DORA and to begin assessing how this change will impact their ICT risk management framework and take appropriate steps to meet the expanded regulation.
Grant Thornton have a proven track record in performing operational resilience reviews and implementations. We have extensive industry and regulatory knowledge that can support financial services entities prepare for the implementation of the Digital Operational Resilience Act.