DORA Regulation - Digital Operational Resilience Act
Is your financial institution prepared for the Digital Operational Resilience Act (DORA) regulation?
DORA aims to strengthen the security posture of the European Union’s financial sector by imposing specific technical standards on a wide range of financial institutions and entities, including banks, insurance companies, and investment firms, as well as their critical third-party information communication technologies (ICT) providers.
Covered entities must be in compliance with DORA by January 17, 2025.
In this article:
- Understanding DORA Regulation
- Axiom: Your Partner in DORA Compliance
- DORA Regulation FAQ
- Regulatory & Compliance Lawyers for Financial Services
In need of experienced counsel that can navigate the DORA requirements?
At up to 50% lower rates than law firms, Axiom can help you find & engage the right regulatory, commercial, and compliance lawyers with the relevant knowledge and experience to seamlessly navigate the EU’s new DORA requirements and ensure compliance.
90% of clients rate Axiom lawyers as equal to or better than lawyers from a law firm.
Get in Touch With Axiom
Let's discuss your legal department challenges and work together to find the right flexible in-house legal talent or outside counsel solutions.
* Required
Understanding DORA Regulation
As banks and other financial entities have grown increasingly dependent on technology, they’ve become more vulnerable to cyberattacks. If not adequately managed, these risks can potentially disrupt financial services across national borders and eventually impact other companies, sectors, and even the entire economy.
Before DORA, European Union (EU) member states issued their own risk management rules, creating a regulatory patchwork that was difficult for financial institutions to navigate. By standardising these rules, DORA seeks to address the gaps, overlaps and conflicts that could arise between disparate regulations in different member states.
What Entities are Subject to DORA Requirements?
DORA applies to a broad range of financial institutions and entities, including those headquartered in European Union member states and non-EU organizations operating within the European market, such as:
- Banks
- Payment institutions
- Electronic money institutions
- Investment firms
- Insurance and reinsurance companies
- Credit rating agencies
- Crypto-asset service providers (CASPs)
- Crowdfunding service providers
- Managers of alternative investment funds (AIFMs)
- UCITS management companies
DORA also applies to critical ICT third-party providers that European Union regulators consider to be “critical,” such as:
- Cloud computing providers
- Data center operators
- Software vendors
- Data analytics firms
What Does DORA Require?
DORA establishes technical requirements across five pillars:
- ICT Risk Management and Governance: An organisation's leadership—including board members, executives, and senior managers—must establish and implement effective risk management strategies and stay up-to-date on the ICT risk landscape. They may be held personally liable for non-compliance.
- Incident Response and Reporting: Covered entities must establish systems for monitoring, managing, logging, classifying and reporting ICT-related incidents. Specific reporting requirements depend on the severity of an incident.
- Digital Operational Resilience Testing: Covered entities must test their ICT systems regularly to assess the strength of their protections and identify vulnerabilities. Testing results and plans for addressing any vulnerabilities must also be reported to the relevant authorities.
- Third-Party Risk Management: Financial firms are expected to actively manage ICT third-party risks. When contracting with such providers, they must negotiate specific provisions regarding exit strategies, audits and performance targets for accessibility, integrity and security. Critical ICT third-party providers will be subject to oversight from relevant European Supervisory Authorities, or ESA’s.
- Information and Intelligence Sharing: The final pillar of DORA promotes sharing information and intelligence related to cyber threats and vulnerabilities among organizations.
While not required, DORA also encourages entities to participate in voluntary threat intelligence-sharing arrangements.
Axiom: Your Partner in DORA Compliance
DORA will place a significant compliance burden on financial entities operating in the European Union at a time when many corporate law departments face considerable budgetary and headcount pressure.
Axiom can help both financial entities and ICT providers.
With access to an international network of more than 14,000 high-caliber legal professionals throughout the world, Axiom can connect your organisation with one or more regulatory, commercial and/or compliance lawyers with the relevant knowledge and experience to seamlessly navigate the complex requirements imposed by DORA.
- Regulatory Compliance Advisory: Provide comprehensive guidance on interpreting and adhering to DORA requirements.
- Implementation Support: Assist with developing and implementing a risk mitigation strategy, testing protocols, and incident report and response systems.
- Contract Negotiation and Compliance Support: Draft and negotiate contracts/amendments with third parties and monitor/manage risks.
- Training and Education: Playbook creation to leverage when educating leadership on the new requirements and their obligations under DORA.
Why Choose Axiom?
Partnering with Axiom ensures you never have to compromise your highest standards.
Just 3% of lawyers who apply are eventually hired by Axiom, and only after undergoing an intensive interview and background check process that requires the submission of at least three references from past supervisors. Those who make the cut average 15 years of experience, including tenures at Fortune 500 and Am Law 200 firms. Many are graduates of a U.S. News & World Report Top 50 Law School.
This deep bench of legal talent allows us to tailor engagements to your specific needs. Axiom lawyers are available full- or part-time and for long-term or short-term assignments, either onsite or from a remote location. While your team will be responsible for supervising their work, we’ll partner with you throughout the onboarding process to ensure they’re fully meeting your expectations from day one.
DORA EU Regulation FAQ
The Digital Operational Resilience Act (DORA) is a regulation established by the European Union to ensure the operational resilience of digital services within the financial sector. It aims to harmonise the management of ICT risks across the EU and enhance the resilience of financial entities to cyber threats. DORA introduces a comprehensive oversight framework for critical ICT, involving key regulatory bodies such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA).
- ICT Risk Management: Entities must have robust frameworks for managing ICT risks.
- Incident Reporting: Entities must report significant ICT-related incidents to the relevant authorities.
- Digital Resilience Testing: Regular testing of ICT systems to identify vulnerabilities.
- Third-Party Risk Management: Ensuring that third-party service providers meet ICT risk management standards.
- Information Sharing: Promoting information sharing among financial entities regarding cyber threats.
Entities can prepare for DORA by:
- Conducting a gap analysis to identify areas where their current ICT risk management practices do not meet DORA requirements.
- Developing a comprehensive ICT risk management framework.
- Implementing robust incident reporting and response procedures.
- Conducting regular digital resilience testing.
- Ensuring that third-party service providers comply with DORA standards.
Ready to Connect with Axiom?
Axiom helps the world's top companies and organisations— from mid-market innovators to over half of the Fortune 100— work smarter, mitigate risk more effectively, and make the most of every budgeted dollar without compromising legal outcomes.
If your financial institution requires assistance navigating the complexities of DORA, we’re ready to help. Axiom’s regulatory compliance lawyers have deep experience in data privacy, finance, regulations, compliance, and more.