DORA: Key considerations for IT directors

Even firms without an EU presence need to prepare

Jonathan Armstrong of Punter Southall Law sets out what IT leaders need to know about the incoming regulation.

The EU’s regulation on Digital Operational Resilience for the Financial Sector (DORA), is set to come into force on 17th January 2025. DORA will transform operational resilience requirements for the financial sector – and those who sell to financial services providers - and IT directors in particular need to be ready.

Although DORA applies to EU-based firms, operational resilience is a key priority for UK financial firms as well, with similar UK regulations coming into full effect in the UK in March 2025.

Strengthening digital defences

DORA is designed to reinforce the financial sector’s digital resilience. Covering banks, insurers and investment firms, it also applies to providers of key third-party services like cloud computing.

As financial systems are part of critical national infrastructure, disruptions impacting these systems can have widespread consequences, as demonstrated by the IT outage involving CrowdStrike and Microsoft last year.

Requirements and penalties

DORA will consolidate and upgrade IT risk requirements throughout the EU financial services sector, to ensure a very wide range of participants in the sector are subject to a common set of standards to mitigate IT risks, including cyber security risks.

Given DORA's concentration on supply chain resilience, however, it will have an impact much wider than financial services.

EU Member States will be responsible for establishing penalties and remedial measures under DORA, which can apply to both natural and legal persons. They can also apply these measures to a legal entity’s management body and other responsible individuals, plus choose to establish criminal penalties for breaches. So, actions against CISOs personally may well increase.

Impact on UK businesses

Though DORA doesn’t apply to UK firms directly (unless they’re active in the EU), UK regulators prioritise operational resilience with a similar framework. UK firms must:

Identify critical business services and set tolerance levels for disruption.
Map dependencies across people, technology, and resources.
Conduct scenario testing and apply lessons learned from disruptions.
Develop communication strategies to mitigate disruption impacts.

The UK’s operational resilience rules, effective since March 2022, will be fully enforceable by March 2025. Previous fines, such as TSB’s £48.65 million for IT failures, reflect regulators’ commitment to stringent oversight.

How can businesses prepare?

Organisations in the DORA regime, or providing services to those that are, will need to consider how to meet their responsibilities under DORA. This will include the following 10 steps:

A gap analysis to focus on the work that needs to be done. This could include scope questionnaires for various part of the business.
Training on operational resilience. Likely to include the IT team, communications professionals and the compliance function.
Making sure processes and procedures are in place to do horizon scanning and respond promptly to incidents. This is likely to include a review and testing of your incident response process.
Looking at the board and senior management team’s skills and expertise. In many cases recruitment will be necessary to plug gap.
For financial services organisations: Working out key dependencies, mapping devices and storage locations etc. and ensuring that compliant contracts are in place with all third-party providers.
For third party providers: Working out which key clients are likely to be in the DORA regime and anticipating the assistance they will need to comply. This could include white papers, FAQs or template responses.
Working out your regulatory regime. Who key regulators will be and how you will meet your obligations to keep them informed.
Look at your contracts. Will it be necessary to add a DORA addendum?
Map critical and important functions
Robust testing of your new processes and the measures you have put in place.

Financial services firms are required to have in place sound, effective and comprehensive strategies, processes and systems that enable them adequately to comply with the applicable operational resilience requirements. Organisations should seek specialist advice to ensure they fully understand how DORA and the UK rules apply to them.

Image

Description

Jonathan Armstrong is a partner at Punter Southall Law. Based in London, he concentrates his legal work on compliance & technology. He serves on the New York State Bar Association’s AI Task Force and sits on the Law Society AI Group.