The Digital Operational Resilience Act, commonly referred to as DORA, is a landmark regulation from the European Union (EU) aimed at strengthening the information and communication technology (ICT) risk management framework within the EU financial sector. Set to be fully implemented by 17 January 2025, DORA mandates comprehensive and binding technical standards for both financial entities and their critical third-party technology service providers.
The Purpose of DORA
DORA has two primary objectives:
- Comprehensive ICT Risk Management: The regulation aims to thoroughly address ICT risk management within the financial services sector.
- Harmonization of Regulations: It seeks to harmonize existing ICT risk management regulations across individual EU member states, creating a unified framework. This harmonization aims to eliminate the gaps, overlaps, and conflicts that could arise from disparate national regulations, thereby simplifying compliance for financial entities and enhancing the resilience of the EU financial system.
Implementation and Oversight
Although DORA has been officially adopted by the EU, key details are still being finalized by the European Supervisory Authorities (ESAs), which include the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA). These authorities are responsible for drafting the regulatory technical standards (RTS) and implementing technical standards (ITS) that covered entities must implement. These standards are anticipated to be completed by 2024. Concurrently, the European Commission is developing an oversight framework for critical ICT providers, also expected to be finalized in 2024.
Key Domains of DORA
DORA establishes technical requirements for financial entities and ICT providers across four primary domains:
- ICT Risk Management and Governance
- Incident Response and Reporting
- Digital Operational Resilience Testing
- Third-Party Risk Management
While information sharing is encouraged under DORA, it is not mandated. A notable aspect of DORA is its applicability to both financial entities and the ICT providers that serve them. Financial firms are expected to actively manage third-party ICT risks by negotiating specific contractual terms regarding exit strategies, audits, and performance targets. Entities are prohibited from contracting with ICT providers that fail to meet these requirements. Competent authorities have the authority to suspend or terminate non-compliant contracts. The European Commission is also considering drafting standardized contractual clauses to facilitate compliance.
Additionally, financial institutions will need to map their third-party ICT dependencies and ensure that their critical functions are not overly reliant on a single provider or a small group of providers.
Automation Solutions with Omnia BPM
In this evolving regulatory landscape, leveraging advanced automation solutions becomes crucial. High-impact AI automations and the Omnia BPM low code platform can significantly enhance your IT systems, making them more proactive, processes more efficient, and people more productive. Omnia BPM’s smart apps, easily adaptable to the financial services sector, are designed to help clients mitigate risks and accelerate the adoption of new regulations for their most sensitive processes.
With Omnia BPM, speed up innovation while ensuring compliance and security, providing your financial institution with the tools needed to thrive under the new DORA framework.
Tony Vitale