The Digital Operational Resilience Act (DORA) is an EU regulation that creates an Information and Communication Technology (ICT) risk management framework for the financial sector. However, its impact will be felt globally due to the wide net of those captured either as DORA- regulated entities or their service providers located outside of Europe.
Owing to the complexity of DORA, the European Supervisory Authorities (ESAs) are releasing more details on DORA implementation in two distinct batches:
- Batch 1 was published on January 17, 2024, made up of three regulatory technical standards (RTS) and one implementing technical standard (ITS).
- Batch 2 is expected in July 2024 and is made up of four distinct regulatory technical standards, one implementation standard, and accompanying guidelines.
Here we deconstruct some of the complexities of the regulation as the January 17, 2025, deadline looms.
DORA By the Numbers
Two types of firms are affected by DORA – (1) those directly in scope including banks, asset managers, central securities depositories (CSDs) and (2) those deemed critical ICT providers to in scope entities. It also applies to in-scope entities’ service providers materially supporting their ICT stacks. Such organizations could include software providers, data centers and cloud providers, as well as internet and email hosts.
In scope regulated entity “types” that fall within the full scope of DORA for incident reporting template purposes are detailed below:
Credit institutions |
Central securities depositories | Data reporting service providers | Crowdfunding service providers |
Payment institutions | Central counterparties | Insurance and reinsurance undertakings | Securitization repositories |
Account information service providers | Trading venues | Insurance intermediaries | Other financial entity |
Electric money institutions | Trade repositories | Institutions for occupational retirement provision | Non-financial entity: ICT intra-group service provider |
Investment firms | Managers of alternative investment funds | Credit rating agencies | Non-financial entity: Other |
Crypto-asset service providers as authorized under MICA | Management companies | Administrators of critical benchmarks |
Three regulatory principles underpin this gargantuan regulation:
- Convergence – common language, standards around cyber and ICT risk across the E.U.
- Proportionality – DORA implementation may consider the size and overall risk profile of an entity as well as the nature, scale, and complexity of services.
- Security by Design – firms should consider elements such as the design of products, services, and distribution channels. Security and proper governance to mitigate risks should be present throughout the entire life cycle of the product.
Five primary areas of activity are contained within DORA:
- ICT Risk Management
- Reporting of ICT related incidents
- Digital Operational Resilience Testing
- Third Party Risk Management
- Information and intelligence sharing
Six stages are outlined in the DORA implementing technical standards (ITS) as best practice when it comes to assesssing ICT risk management:
- Identify
- Protect and Prevent
- Detect
- Respond and Recover
- Learning and Evolve
- Communicate
DORA's Implications
- A firm could face a penalty of 1% of their average daily worldwide turnover for non-compliance. This period of non-compliance accrues daily for up to six months.
- There are three “layers” that determine what constitutes a “major ICT incident”:
- Layer 1: Determine if the incident affects critical services.
- Layer 2: Determine if the incident is a result of a malicious intrusion.
- Layer 3: Determine whether the incident impacts at least two of the following six criteria:
- Number of clients affected
- Amount of data loss affected
- Reputational impact
- Duration and service downtime
- Geographic spread
- Economic impact
- A major ICT related incident should be reported at first instance within one business day, an intermediate report within a week of first notification, and a final report with root-cause analysis submitted no later than one month.
- There are 15 mandated reporting templates within the DORA regulatory technical standards. Firms will be required to use these to compile a register of information as well as the relationships between the entity maintaining the DORA register, its branches, and each of the ICT and other critical third-party service providers. The templates contain relational keys which outline the end-to-end structure of ICT supporting the DORA entity’s business model regardless of their own location or regulatory status. Once again, this shows that DORA is a highly comprehensive set of rules.
- The Central Bank of Ireland’s Consultation Paper CP140 already provides industry guidance on operational resilience. While DORA is more prescriptive, many banks and asset managers in Europe already largely adhere to many of the operational resilience requirements. The regulatory theme of operational resilience, outsourcing and delegation risk management, business continuity processes, and cyber security have been large focus areas and continue to be top priorities.
- In Luxembourg, the CSSF recently introduced a new ICT-related incident reporting framework by way of Circular CSSF 24 /847 which broadly aligns to both DORA and the EU NISD2 cybersecurity directive requirements.
Many questions remain as industry processes the outstanding RTS and ITS while also comparing it with the plethora of global operational resilience regulations already in place.
To discuss DORA, please contact Adrian Whelan or your BBH representative.
1The percentage is based on prior year's financial results.
Brown Brothers Harriman & Co. (“BBH”) may be used to reference the company as a whole and/or its various subsidiaries generally. This material and any products or services may be issued or provided in multiple jurisdictions by duly authorized and regulated subsidiaries. This material is for general information and reference purposes only and does not constitute legal, tax or investment advice and is not intended as an offer to sell, or a solicitation to buy securities, services or investment products. Any reference to tax matters is not intended to be used, and may not be used, for purposes of avoiding penalties under the U.S. Internal Revenue Code, or other applicable tax regimes, or for promotion, marketing or recommendation to third parties. All information has been obtained from sources believed to be reliable, but accuracy is not guaranteed, and reliance should not be placed on the information presented. This material may not be reproduced, copied or transmitted, or any of the content disclosed to third parties, without the permission of BBH. Pursuant to information regarding the provision of applicable services or products by BBH, please note the following: Brown Brothers Harriman Fund Administration Services (Ireland) Limited and Brown Brothers Harriman Trustee Services (Ireland) Limited are regulated by the Central Bank of Ireland, Brown Brothers Harriman Investor Services Limited is authorised and regulated by the Financial Conduct Authority, Brown Brothers Harriman (Luxembourg) S.C.A is regulated by the Commission de Surveillance du Secteur Financier. All trademarks and service marks included are the property of BBH or their respective owners. © Brown Brothers Harriman & Co. 2024. All rights reserved. IS-09875-2024-04-30