Preparing for the Digital Operational Resilience Act (DORA)

How financial services can comply with new EU IT resilience legislation. 

You might be aware of the newly adopted Digital Operational Resilience Act (DORA) for financial services entities. But what action does your organisation need to take to comply with the legislation?

The European Union (EU) has formally adopted its latest operational resilience legislation, DORA, which will place additional reporting requirements on financial institutions and their critical suppliers.

A deadline of 17 January 2025 has been set for those affected to ensure they are compliant, and organisations must act now to guard against evolving risks.

 

 

cropped shot of a mans hands holding a phone and payment card in front of a laptop

Request a DORA Readiness Assessment today

What is DORA?

DORA builds on existing institutional EU requirements in response to market-wide, ongoing digital transformation and evolution of new associated risks.

The Act aims to set uniform requirements for the operational resilience of almost all financial entities operating in the EU. Importantly, it also applies to critical third parties that provide ICT-related (information and communication technologies) services to the FS sector, e.g., cloud platforms, professional services, or data analytics.

DORA also mandates that all participants in the financial system have the necessary safeguards in place to mitigate attacks and other risks, such as supplier failure, service deterioration, and concentration risk.

Does DORA impact you?

20 different types of financial services organisations of all sizes will be affected, including:

designed list of financial services entities impacted by DORA

 

 

The reach of DORA is set to be far broader than any previous regulation, impacting any financial institution or critical providers that need access to or operate within the EU market.

In addition to the above FS organisations, the European Supervisory Authorities (ESAs) – the entities responsible for the supervision of EU financial markets – will be able to designate critical ICT third-party service providers based on criteria such as sustainability and the potential systemic impact they could cause if they experienced a large operational failure.

UK flag graphic

As DORA is an EU legislation, it may not always apply directly to UK organisations, but as many firms in the UK have operations within the EU, DORA may affect them. Even if you supply EU financial institutions from the UK, you’ll be in the scope of DORA.

The 5 required steps for DORA compliance

DORA requires all financial institutions regulated at the EU level to ensure they can withstand all ICT-related disruptions and threats. This means implementing measures across five core areas:

DORA lays out frameworks and guidelines for risk management in the financial sector. With increasing digital transformation and connectivity, EU market regulators are keen to safeguard FS and Insurance companies, their supply chains, and customers from increasing cyber attacks.

These guidelines aim to help organisations build more mature risk management programs and improve operational resiliency.

Learn more about our cyber security consulting and risk management services.

Your roadmap to DORA compliance

NCC Group diagram of 5 steps toward DORA compliance

Your compliance journey is easier with NCC Group. We offer unique 360° readiness to help financial services organisations of all sizes prepare for DORA, providing all necessary services under a single scope – no other service provider can do that.

Our DORA Readiness Assessment is designed to support financial institutions and critical third parties looking to obtain DORA compliance. A combined team of experts from our Incident Response, Business Continuity Planning & Disaster Recovery, Software Escrow (Escode), and Managed Service practices join forces to provide organisations with an overview of any gaps in their governance procedures and processes in relation to the five mandated steps of the DORA legislation (outlined above).

Watch back our DORA webinar

DORA Demystified: What UK-Based Entities Need To Know
June 2024

NCC Group's Mick Flitcroft, James Pearce and Chantal Constable join Daniel McCatty of UK Finance to break down some of UK organisations' common DORA queries.

Further reading

Countdown to the DORA Compliance Deadline

With the deadline for complying with the EU's Digital Operational Resilience Act (DORA) set for 17 January 2025, pressure is mounting for financial institutions and service providers across the industry. 

Countdown to the DORA Compliance Deadline

DORA in the UK: 4 Things You Need to Know

Many UK firms—especially smaller third-party ICT suppliers—may be under the impression they're in the clear and not subject to the new requirements listed in the EU's Digital Operational Resilience Act. That assumption is likely wrong.

Dora Regulation in the UK: What Financial Entities and ICT Suppliers Need to Know

NCC Group's Global Cyber Policy Radar

Exclusive insights into the latest global cyber security laws and regulations. NCC Group's Global Cyber Policy Radar Report looks to the big developments on the horizon.

Global Cyber Policy Radar

Access unparalleled DORA coverage.

To book your comprehensive DORA Readiness Assessment, get in touch today.

For more information, download our DORA e-guide.  

Get ready for DORA with us Get the guide