Search

Digital Operational Resilience Act (DORA)

DORA was introduced as part of the Digital Finance Package in September 2020. Its purpose is to ensure the financial sector can maintain operational resilience through severe disruption of information, communication and technology systems.

It creates uniform requirements for a wide range of financial firms to manage their ICT risks and creates a regulatory oversight regime for ICT third parties providing services to financial entities.

It addresses gaps in the previously fragmented rules on ICT risk management, digital operational resilience, incident reporting, resilience testing and supervisory activities. Of significance is the inclusion of critical ICT third-party service providers.

DORA takes into account:

  • EBA Outsourcing Guidelines Sept 2019
  • ESMA Cloud Outsourcing Guidelines 2021
  • IOSCO Principles on Outsourcing Oct 2021

The NIS2 Directive is a piece of European Union (EU) legislation, applicable from October 2024, aimed at strengthening the cybersecurity of essential services and entities within the EU. While DORA is specifically tailored to the financial sector, it complements the broader cybersecurity framework established by NIS2.

Regulation Overview

Graphic of a plus symbol Graphic of a minus symbol

DORA is a comprehensive piece of EU legislation designed to bolster the cybersecurity resilience of financial institutions. It applies to a wide range of financial entities (including credit institutions, investment firms, payment institutions, crypto-asset issuers and service providers, insurers, CSDs, CCPs, AIFMs, management companies pension funds, data reporting service providers, credit rating agencies, trade repositories, benchmark administrators, securitization repositories) which use ICT services.

One of the core pillars of DORA is cybersecurity risk management. Financial institutions are mandated to conduct regular risk assessments to identify and evaluate potential cyber threats. These assessments should cover a wide range of vulnerabilities, including those related to technology, people, and processes. Additionally, institutions must develop and implement comprehensive incident response plans to effectively handle cyber incidents when they occur. These plans should outline clear procedures for containing the breach, mitigating its impact, and restoring operations. Furthermore, DORA emphasises the importance of managing third-party risks. Financial institutions must assess the cybersecurity practices of their suppliers and vendors and take appropriate measures to mitigate any potential risks.

Another key aspect of DORA is ICT resilience. Financial institutions are required to have robust business continuity plans in place to ensure that their operations can continue uninterrupted in the event of a cyberattack or other disruption. These plans should cover essential functions such as customer service, payment processing, and risk management. Additionally, institutions must have effective disaster recovery plans to restore ICT systems and data in case of a loss or damage. This includes having backups in place and testing recovery procedures regularly.

Impacts to Securities Lending & Borrowing

Graphic of a plus symbol Graphic of a minus symbol

A considerable number of firms receive and provide ICT services to firms which engage in securities lending and borrowing. EU firms which have outsourced or receive any ICT services will be caught by the provisions of DORA and will need to comply with the digital operational resilience regime by January 2025. For many firms this will significantly add to governance and control frameworks and require considerable resources to assess and implement the regime across all its activities. Any non-EU ICT service provider providing services to EU entities will need to consider whether they could be designated a critical third-party service provider and whether they need to set up an EU office.

ISLA's Focus on the Topic

Graphic of a plus symbol Graphic of a minus symbol

ISLA monitors developments in DORA through its Digital Steering group and reports on any proposals which may impact securities lending and borrowing markets.

Timeline

  • DORA published in the Official Journal (OJ) of the EU

    12/14/2022

    14/12/2022

  • DORA RTS on ICT risk management framework, incidents classification and third party policy published in the OJ

    06/25/2024

    25/06/2024

  • Start of the oversight activities for the ESAs (incl. CTPPs designation)

    02/01/2025

    2025 Onwards

  • DORA entered into force

    01/16/2023

    16/01/2023

  • Application of DORA - Financial entities compliant

    01/17/2025

    17/01/2025

Select a category from the dropdown

Archive

Can’t find a specific document or legacy agreement?

Contact us

Back to Digital & Fintech

Back

Already a member? Login to your account

Interested in becoming a member?

ISLA’s members span the breadth and depth of the securities lending industry, and there are many benefits of joining the Association’s network.

Become a member today