EU reaches DORA agreement. Here's what it means for you.
The Digital Operational Resilience Act (DORA) is the first EU regulation of its kind that focuses on how regulated financial services firms manage their ICT risk.
Firms, and technology service providers, will now have to ensure the resilience and availability of their Critical Business Services. This requires a more holistic, top-down and service-oriented approach to technology resilience. Technology leaders in financial services should therefore expect to implement new resilience solutions.
EU negotiators have reached a full technical agreement on the content of DORA, and there is an aggressive timetable for implementation.
Regulated Financial Services firms will be expected to comply by Q4 2024.
What will DORA change?
DORA will set criteria and provide instructions for how financial organisations manage ICT risk, and the draft legislation includes stipulations for frequent communication, reporting and assessment.
As more major banks outsource parts of their tech stack to third-party vendors and modernise legacy infrastructure with cloud migration, third-party vendor resilience is also coming to the attention of EU regulators.
Crucially, DORA will bring Critical Technology Service Providers (TSP) under the supervision of the European Supervisory Authority (ESA). DORA does not distinguish between cloud-based and non-cloud-based TSPs and regulators will have the power to impose fines in case of non-compliance - and even request regulated firms to end their arrangement with the TSP if issues are found.
There are 5 key pillars to DORA:
- ICT risk management
- ICT incident reporting
- Digital Operational Resilience testing
- ICT third-party risk management
- Information and intelligence sharing.
To comply, regulated firms must establish greater resilience and governance in complex hybrid IT environments in accordance with the stipulations in each of these pillars.
Learn more about DORA
The refreshed guide to DORA (Your DORA Explorer) contains updated timelines and deadlines and considers how regulated firms can improve their resilience and establish greater governance across the entirety of their complex hybrid IT environments.
The time to act is now. Get your copy today.