Digital Operational Resilience Act

The Digital Operational Resilience Act — so named even though the EU doesn’t technically have “acts”, we think, because “DORA” is a neat and quite cute acronym whereas “DORR” sounds a bit intellectually challenged and “DORD” sounds like the sort of thing that blocks a Galway lavatory — is an EU Regulation aimed at strengthening the IT security of financial entities and ensuring the European financial sector remains resilient during severe operational disruption.

It comes into force on 17 January 2025.

It requires in-scope entities to ensure there are key provisions in legal contracts with providers of in-scope IT contracts to ensure that financial entities maintain operational resilience and can manage risks associated with ICT services effectively:

1. Description of Services: A clear description of all functions and ICT services, and the locations from where these services and data processing are provided.
2. Service Levels: Detailed service level agreements — gulp — specifying performance standards and uptime availability.
3. Data security: Providing for data security and protection from unauthorised access.
4. Audit rights: Wide-ranging audit rights for the financial entity to ensure compliance with the contractual terms and regulatory requirements.
5. Termination Rights: Specific termination rights, including conditions under which the contract can be terminated and the procedures for doing so.
6. Subcontracting: Conditions for subcontracting ICT services, especially for critical or important functions
7. Co-operation with Authorities: Requirements for the ICT service provider to cooperate fully with competent authorities in case of investigations or incidents.
8. Exit Strategies: Provisions for managing the exit and transition of services to another provider or back in-house, ensuring continuity and minimal disruption.

See also

• Legislation