The Digital Operational Resilience Act (DORA) is a first-of-its-kind regulation in the EU. DORA was published in 2023 to regulate financial services and insurance firms operating in the European Union.  This includes many US firms with operations in the EU.  For a comprehensive list of industries that will be subject to DORA, see Chapter 1, Article 2 of the DORA regulation.   

DORA requires financial entities to build, assure, and review operational integrity and reliability. But what does the DORA regulation really mean for your organization? 

In this article we cover what your business will need to comply with the DORA framework.  If you are not already fully compliant, you should ramp up your compliance process to meet the January 2025 deadline! 

Before we dive into how you can accelerate that process, let’s discuss how DORA is different from any other legislation before it. 

DORA was created as part of the Digital Finance Package (DFP). The DFP is a collection of EU legislative proposals and strategies intended to improve digital resilience, published in September of 2020.  DORA supersedes the assorted EU cyber regulations for financial Information and Communication Technology (ICT). It also expands the scope of these regulations to include Critical Third-Party Providers (CTPP). 

Components of this regulation may not be a surprise to many financial entities, since a similar precedent has been established in the UK. In 2021, before DORA was put into legislative action, there was an analogous regulation enforcing UK Operational Resilience.

One of the main differences between previous regulations and DORA is that DORA is capabilities led. Your firm will need a digital resilience strategy, including continuous monitoring, in order to be compliant.  

DORA is also different from The Network and Information Security (NIS) Directive from 2016, which focuses on the security of a firm’s network and information systems. 

With this context for how DORA is different from other EU regulations, it’s time to discuss how this impacts your firm. 

By January of 2025, the European Supervisory Authorities (ESA) will be inspecting financial organizations to assess their DORA compliance. At that point, firms are expected to be in full compliance.   

Another notable difference with DORA is that Executives and Board of Directors at every financial firm shall be held accountable for complying with DORA regulations. They should ensure their firms immediately perform a business impact analysis and operational risk assessment in order to determine and address any gaps in compliance.  

While it might seem like a long way off, implementing changes of this magnitude will take time. To prepare for the level of compliance required, businesses should begin by following these three steps: 

Entities must analyze their risks and gaps before developing a roadmap to design and implement an enhanced operational resilience framework by early 2025. This process, and the expectations of DORA, will look different for institutions based on their size. Identifying where your firm has opportunities and gaps is the first step. 

By conducting a gap analysis, your firm will be in a better position to address where they need a higher level of organizational maturity when it comes to DORA compliance. 

For any strategy and process to work, there needs to be someone in charge of enacting it. Every firm must either have one person or a group of people held accountable for improving operational resilience. 

Within the ESA, an entirely new role has been created to enforce DORA regulations. The Lead Overseer will make unique recommendations on ICT risk issues and propose actions to protect the financial firm.  

This framework is the key to becoming and staying compliant. Having a reasonable workflow that integrates all regulatory requirements into your firm is the final piece of the puzzle.  

The framework must have: 

1. Processes that address current risks 

2. Arrangements to address future risks 

3. Guidelines to ensure a high level of data availability, confidentiality, and integrity 

DORA is the catalyst that will change how financial institutions view and measure IT operational risk. DORA aligns with regulation in other regions of the world as digital operational resilience is becoming an industry standard best practice. 

Even for organizations outside the EU, DORA is the first wave of an IT risk management revolution. Besides maintaining compliance, financial entities must consider a broader list of IT risks. This includes operational defects and third-party risks. 

If your firm needs an automated solution to help you meet the requirements faster, consider BugZero. Our platform will seamlessly integrate into the required resilience processes and help prevent IT outages due to vendor software defects.