Digital Operational Resilience Act (DORA)

DORA is a comprehensive piece of EU legislation designed to bolster the cybersecurity resilience of financial institutions. It applies to a wide range of financial entities (including credit institutions, investment firms, payment institutions, crypto-asset issuers and service providers, insurers, CSDs, CCPs, AIFMs, management companies pension funds, data reporting service providers, credit rating agencies, trade repositories, benchmark administrators, securitization repositories) which use ICT services.

One of the core pillars of DORA is cybersecurity risk management. Financial institutions are mandated to conduct regular risk assessments to identify and evaluate potential cyber threats. These assessments should cover a wide range of vulnerabilities, including those related to technology, people, and processes. Additionally, institutions must develop and implement comprehensive incident response plans to effectively handle cyber incidents when they occur. These plans should outline clear procedures for containing the breach, mitigating its impact, and restoring operations. Furthermore, DORA emphasises the importance of managing third-party risks. Financial institutions must assess the cybersecurity practices of their suppliers and vendors and take appropriate measures to mitigate any potential risks.

Another key aspect of DORA is ICT resilience. Financial institutions are required to have robust business continuity plans in place to ensure that their operations can continue uninterrupted in the event of a cyberattack or other disruption. These plans should cover essential functions such as customer service, payment processing, and risk management. Additionally, institutions must have effective disaster recovery plans to restore ICT systems and data in case of a loss or damage. This includes having backups in place and testing recovery procedures regularly.

A considerable number of firms receive and provide ICT services to firms which engage in securities lending and borrowing. EU firms which have outsourced or receive any ICT services will be caught by the provisions of DORA and will need to comply with the digital operational resilience regime by January 2025. For many firms this will significantly add to governance and control frameworks and require considerable resources to assess and implement the regime across all its activities. Any non-EU ICT service provider providing services to EU entities will need to consider whether they could be designated a critical third-party service provider and whether they need to set up an EU office.

ISLA monitors developments in DORA through its Digital Steering group and reports on any proposals which may impact securities lending and borrowing markets.