Digital Operational Resilience Act
The JC’s Reg and Leg resource™
EU Edition
|
The Digital Operational Resilience Act — so named even though the EU doesn’t technically have “acts”, we think, because “DORA” is a neat and quite cute acronym whereas “DORR” sounds a bit intellectually challenged and “DORD” sounds like the sort of thing that blocks a Galway lavatory — is an EU Regulation aimed at strengthening the IT security of financial entities and ensuring the European financial sector remains resilient during severe operational disruption.
It comes into force on 17 January 2025.
UK equivalent
DORA was not directly copied into UK law as part of the Brexit transition because TAKE BACK CONTROL and everything, but the UK’s own regulatory framework addresses similar concerns about digital operational resilience because SILICON ROUNDABOUT and everything. This includes the UK Critical Third Parties (CTP) regime, primarily established through the Financial Services and Markets Act 2023 which aligns closely with DORA’s objectives. It allows HMT to designate third parties as “critical”, though this is done by name and not category, so the number of designated “Critical Third Parties” in the UK is relatively small. The designation process focuses on those third-party service providers whose failure could pose significant risks to the stability and resilience of the UK financial system.
Key legal provisions
It requires in-scope entities to ensure there are key provisions in legal contracts with providers of in-scope IT contracts to ensure that financial entities maintain operational resilience and can manage risks associated with ICT services effectively:
- Description of Services: A clear description of all functions and ICT services, and the locations from where these services and data processing are provided.
- Service Levels: Detailed service level agreements — gulp — specifying performance standards and uptime availability.
- Data security: Providing for data security and protection from unauthorised access.
- Audit rights: Wide-ranging audit rights for the financial entity to ensure compliance with the contractual terms and regulatory requirements.
- Termination Rights: Specific termination rights, including conditions under which the contract can be terminated and the procedures for doing so.
- Subcontracting: Conditions for subcontracting ICT services, especially for critical or important functions
- Co-operation with Authorities: Requirements for the ICT service provider to cooperate fully with competent authorities in case of investigations or incidents.
- Exit Strategies: Provisions for managing the exit and transition of services to another provider or back in-house, ensuring continuity and minimal disruption.