Exploring the Impacts of DORA

May 03, 2024
  • Investor Services
Adrian Whelan sums up what is at stake for firms and their service providers.

The Digital Operational Resilience Act (DORA) is an EU regulation that creates an Information and Communication Technology (ICT) risk management framework for the financial sector. However, its impact will be felt globally due to the wide net of those captured either as DORA- regulated entities or their service providers located outside of Europe.

Owing to the complexity of DORA, the European Supervisory Authorities (ESAs) are releasing more details on DORA implementation in two distinct batches:

  • Batch 1 was published on January 17, 2024, made up of three regulatory technical standards (RTS) and one implementing technical standard (ITS). 
  • Batch 2 is expected in July 2024 and is made up of four distinct regulatory technical standards, one implementation standard, and accompanying guidelines.

Here we deconstruct some of the complexities of the regulation as the January 17, 2025, deadline looms.

DORA By the Numbers

Two types of firms are affected by DORA – (1) those directly in scope including banks, asset managers, central securities depositories (CSDs) and (2) those deemed critical ICT providers to in scope entities. It also applies to in-scope entities’ service providers materially supporting their ICT stacks. Such organizations could include software providers, data centers and cloud providers, as well as internet and email hosts.

In scope regulated entity “types” that fall within the full scope of DORA for incident reporting template purposes are detailed below:



Credit institutions

Central securities depositories Data reporting service providers Crowdfunding service providers
Payment institutions Central counterparties Insurance and reinsurance undertakings Securitization repositories
Account information service providers Trading venues Insurance intermediaries Other financial entity
Electric money institutions Trade repositories Institutions for occupational retirement provision Non-financial entity: ICT intra-group service provider
Investment firms Managers of alternative investment funds Credit rating agencies Non-financial entity: Other
Crypto-asset service providers as authorized under MICA Management companies Administrators of critical benchmarks  

Three regulatory principles underpin this gargantuan regulation:

  1. Convergence – common language, standards around cyber and ICT risk across the E.U.
  2. Proportionality – DORA implementation may consider the size and overall risk profile of an entity as well as the nature, scale, and complexity of services.
  3. Security by Design – firms should consider elements such as the design of products, services, and distribution channels. Security and proper governance to mitigate risks should be present throughout the entire life cycle of the product.

Five primary areas of activity are contained within DORA:

  1. ICT Risk Management
  2. Reporting of ICT related incidents
  3. Digital Operational Resilience Testing
  4. Thid Party Risk Management
  5. Information and intelligence sharing

Six stages are outlined in the DORA implementing technical standards (ITS) as best practice when it comes to assesssing ICT risk management:

  1. Identify
  2. Protect and Prevent
  3. Detect
  4. Respond and Recover
  5. Learning and Evolve
  6. Communicate

DORA's Implications

  • A firm could face a penalty of 1% of their average daily worldwide turnover for non-compliance. This period of non-compliance accrues daily for up to six months.
  • There are three “layers” that determine what constitutes a “major ICT incident”:
    • Layer 1: Determine if the incident affects critical services.
    • Layer 2: Determine if the incident is a result of a malicious intrusion.
    • Layer 3: Determine whether the incident impacts at least two of the following six criteria:
      • Number of clients affected
      • Amount of data loss affected
      • Reputational impact
      • Duration and service downtime
      • Geographic spread
      • Economic impact
  • A major ICT related incident should be reported at first instance within one business day, an intermediate report within a week of first notification, and a final report with root-cause analysis submitted no later than one month.
  • There are 15 mandated reporting templates within the DORA regulatory technical standards. Firms will be required to use these to compile a register of information as well as the relationships between the entity maintaining the DORA register, its branches, and each of the ICT and other critical third-party service providers. The templates contain relational keys which outline the end-to-end structure of ICT supporting the DORA entity’s business model regardless of their own location or regulatory status. Once again, this shows that DORA is a highly comprehensive set of rules.
  • The Central Bank of Ireland’s Consultation Paper CP140 already provides industry guidance on operational resilience. While DORA is more prescriptive, many banks and asset managers in Europe already largely adhere to many of the operational resilience requirements. The regulatory theme of operational resilience, outsourcing and delegation risk management, business continuity processes, and cyber security have been large focus areas and continue to be top priorities.
  • In Luxembourg, the CSSF recently introduced a new ICT-related incident reporting framework by way of Circular CSSF 24 /847 which broadly aligns to both DORA and the EU NISD2 cybersecurity directive requirements.

Many questions remain as industry processes the outstanding RTS and ITS while also comparing it with the plethora of global operational resilience regulations already in place.

To discuss DORA, please contact Adrian Whelan or your BBH representative.

Up Next
Up Next

ELTIF 2.0 Good Vibes

A positive policy pivot from the European Commission has the market excited once again about ELTIF 2.0.

1The percentage is based on prior year's financial results.

Brown Brothers Harriman & Co. (“BBH”) may be used to reference the company as a whole and/or its various subsidiaries generally. This material and any products or services may be issued or provided in multiple jurisdictions by duly authorized and regulated subsidiaries. This material is for general information and reference purposes only and does not constitute legal, tax or investment advice and is not intended as an offer to sell, or a solicitation to buy securities, services or investment products. Any reference to tax matters is not intended to be used, and may not be used, for purposes of avoiding penalties under the U.S. Internal Revenue Code, or other applicable tax regimes, or for promotion, marketing or recommendation to third parties. All information has been obtained from sources believed to be reliable, but accuracy is not guaranteed, and reliance should not be placed on the information presented. This material may not be reproduced, copied or transmitted, or any of the content disclosed to third parties, without the permission of BBH. Pursuant to information regarding the provision of applicable services or products by BBH, please note the following: Brown Brothers Harriman Fund Administration Services (Ireland) Limited and Brown Brothers Harriman Trustee Services (Ireland) Limited are regulated by the Central Bank of Ireland, Brown Brothers Harriman Investor Services Limited is authorised and regulated by the Financial Conduct Authority, Brown Brothers Harriman (Luxembourg) S.C.A is regulated by the Commission de Surveillance du Secteur Financier. All trademarks and service marks included are the property of BBH or their respective owners. © Brown Brothers Harriman & Co. 2024. All rights reserved. IS-09875-2024-04-30

As of June 15, 2022 Internet Explorer 11 is not supported by BBH.com.

Important Information for Non-U.S. Residents

You are required to read the following important information, which, in conjunction with the Terms and Conditions, governs your use of this website. Your use of this website and its contents constitute your acceptance of this information and those Terms and Conditions. If you do not agree with this information and the Terms and Conditions, you should immediately cease use of this website. The contents of this website have not been prepared for the benefit of investors outside of the United States. This website is not intended as a solicitation of the purchase or sale of any security or other financial instrument or any investment management services for any investor who resides in a jurisdiction other than the United States1. As a general matter, Brown Brothers Harriman & Co. and its subsidiaries (“BBH”) is not licensed or registered to solicit prospective investors and offer investment advisory services in jurisdictions outside of the United States. The information on this website is not intended to be distributed to, directed at or used by any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation. Persons in respect of whom such prohibitions apply must not access the website.  Under certain circumstances, BBH may provide services to investors located outside of the United States in accordance with applicable law. The conditions under which such services may be provided will be analyzed on a case-by-case basis by BBH. BBH will only accept investors from such jurisdictions or countries where it has made a determination that such an arrangement or relationship is permissible under the laws of that jurisdiction or country. The existence of this website is not intended to be a substitute for the type of analysis described above and is not intended as a solicitation of or recommendation to any prospective investor, including those located outside of the United States. Certain BBH products or services may not be available in certain jurisdictions. By choosing to access this website from any location other than the United States, you accept full responsibility for compliance with all local laws. The website contains content that has been obtained from sources that BBH believes to be reliable as of the date presented; however, BBH cannot guarantee the accuracy of such content, assure its completeness, or warrant that such information will not be changed. The content contained herein is current as of the date of issuance and is subject to change without notice. The website’s content does not constitute investment advice and should not be used as the basis for any investment decision. There is no guarantee that any investment objectives, expectations, targets described in this website or the  performance or profitability of any investment will be achieved. You understand that investing in securities and other financial instruments involves risks that may affect the value of the securities and may result in losses, including the potential loss of the principal invested, and you assume and are able to bear all such risks.  In no event shall BBH or any other affiliated party be liable for any direct, incidental, special, consequential, indirect, lost profits, loss of business or data, or punitive damages arising out of your use of this website. By clicking accept, you confirm that you accept  to the above Important Information along with Terms and Conditions.

1BBH sponsors UCITS Funds registered in Luxembourg, in certain jurisdictions. For information on those funds, please see bbhluxembourgfunds.com

captcha image

Type in the word seen on the picture

I am a current investor in another jurisdiction