Back in 2020, the European Commission issued its first draft of the Digital Operational Resilience Act (DORA) as part of the European Union’s Digital Finance Package (DFP). The DFP consists of a digital finance strategy, legislation and guidelines for operational resilience for Europe’s future in the age of digital transformation.

Fast forward to 2024, we are less than a year away until the DORA’s rules and regulations come into effect in January 2025. As to be expected, the DORA act will be a key subject for many firms throughout the year in the run up to its implementation. Here at RFA, my team will be guiding firms as to how to successfully incorporate the rules and guidelines into their operational structures and business models.

Before I deep dive into six key considerations for firms, I will recap the overall mission and main objectives of DORA. DORA will apply to a broad range of financial services entities with very few exceptions. The overall objective is to enhance the operational resilience of financial services companies and ensure that firms have the appropriate measures in place to manage risks within the digital age.

The key objectives include:

1. Digital Operational Resilience: The legislation seeks to ensure that businesses will have robust systems and processes in place that will ensure they are able to identify, detect, protect against and recover from cyberthreats and other digital risks. 
2. Third-Party Risk Management: The regulation demands that firms are able to carry out appropriate due diligence on their third party managed service providers. Firms will need to have structures in place to ensure they can carry out ongoing monitoring risks when they choose to outsource with partners.
3. Incident Reporting and Response: Businesses will be legally required to have an appropriate incident reporting and response plan should they be subjected to a cyber attack or IT failure. It will be a legal requirement for firms to report such attacks to their national authority and to do so competently within a specified timeframe
4. Oversight and Governance: Financial services firms will need to appropriate governance and oversight in place. This will be inclusive of members of the board and senior team having the relevant skills to manage digital risks. 

So what are the key takeaways for financial services firms in the run up to January 2025 to ensure successful implementation of the DORA Act? I highlight areas that firms should be investing in this year:

1. ICT Risk Management: Firms will need to establish robust ICT (Information and Communication Technology) risk management policies and procedures to identify, assess, and mitigate potential threats and vulnerabilities related to their IT systems and infrastructure.

2. Incident Reporting: DORA will aim to enhance incident reporting requirements, ensuring that regulated firms promptly notify relevant authorities about significant cyber incidents and disruptions.

3. ICT Testing and Assessment: The legislation will mandate regular testing and assessment of firms’ ICT systems to identify weaknesses and vulnerabilities, helping them to proactively address potential risks.

4. Cybersecurity Measures: DORA will require firms to implement appropriate cybersecurity measures to protect their critical systems and sensitive data from cyber threats. 

5. Outsourcing Oversight: The act might outline specific guidelines for outsourcing arrangements, ensuring that regulated firms maintain control and oversight over their outsourced functions, including those provided by third-party service providers like RFA. 

6. Business Continuity Planning: DORA will emphasize the importance of robust business continuity planning, requiring firms to have contingency measures in place to maintain critical functions during ICT-related incidents.

If you would like to learn about how RFA can help your business to successfully prepare for the DORA Act ahead of the implementation deadline, feel free to reach out.