Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act (DORA) and its Impact on the Tech Industry
The proposed legislation from the European Commission looks to create EU-wide legislation to protect the operational resilience of the financial services industry.
This act would bring a wide range of ICT companies that supply products and services to the finance industry under the regulatory authority of the EU. This could have a major operational impact on those companies.
We explore this regulation and its impact on the tech industry.
-
What is DORA?
What key factors/components of this act do you need to know about?
-
Who is Impacted?
Which companies could be impacted by this regulation?
DORA: Making or Breaking the Relationship Between ICT Vendors and Financial Entities
Our financial industry experts discuss the proposed regulation and its impact.
Find out more about technology in the context of industry
5 Steps to Prepare for DORA
5 Steps to Prepare for DORA
With the DORA’s final text to be approved by the European Parliament soon, organisations need to get ready. You mustensure that you have the policies and procedures in place to meet the requirements laid out by the act. But how to start preparing? We have compiled a list of steps that financial entities and ICT vendors need to take to get ready for theimplementation of DORA.
Financial Entities
Ensure the relevant people including the management board, risk management and compliance teams are aware of DORA. Ensure they understand the regulatory requirements that apply.
Identify all the relevant internal stakeholders. Set up a DORA programme involving those stakeholders and assign roles.
Undertake a preliminary self-assessment. A gap analysis will help your organisation assess whether the existing ICT risk management approaches meet the requirements proposed in DORA.
Define a risk-based road map to bridge any compliance gaps identified in your self-assessment and gap analysis.
Identify and prioritise the relevant partners you need to collaborate with.
ICT Providers
Appoint or introduce the role of compliance or regulatory officer to ensure that someone is managing this area for your business.
Undertake a preliminary self-assessment of your current clients to understand if your organisation is a critical provider.
Review the draft regulations to understand both the requirements from the DORA provisions (direct impact), and the requirements to be fulfilled under contractual arrangements with a financial entity (indirect impact).
Assess the “critical or important functions” with your product and technology leaders. Highlight areas that qualify as “vulnerabilities” and “ICT third-party risk” under the regulations. Match and prioritise them with your customer base.
Plan how you will communicate to your clients how you intend to align with them, to prepare a shared approach to DORA (also a relationship building opportunity).
For more information, or to speak with one of our analysts, contact us today.
Our Analysts
Archana Venkatraman
Associate Research Director, Cloud Data Management, IDC Europe
Explore My ResearchMaria Adele Di Comite
Research Director, IDC Financial Insights Corporate and Retail Banking
Explore My Research