Editorial

DORA Demystified: Your Guide to Resilience and Compliance

With the Digital Operational Resilience Act (DORA) set to reshape the regulatory landscape, misconceptions persist about its scope and requirements. Let’s untangle some common myths to better understand DORA’s impact on Firms and ICT Providers, both within and beyond the EU.

Contributor

Liliana joined Delta Capita in September 2021. She is a highly motivated; multilingual operations professional with a broad range of knowledge and experience within the Financial Services industry.

Liliana Hillebrand-Measures
Principal Consultant

Myth #1: DORA is an entirely new approach

While DORA introduces a fresh regulatory framework, it is far from a complete departure from existing guidelines. The regime is more of an evolution, refining and consolidating existing European standards such as the European Banking Authority’s Guidelines on Outsourcing. Many Firms have long been implementing contractual requirements for ICT agreements, and DORA simply broadens this scope.

This 'new and improved flavour' addresses gaps in traditional outsourcing frameworks, mandating a harmonised approach for all ICT services, data, and digital processes.

The result? A more aligned and resilient ICT supply chain that reflects modern operational needs.


Myth #2: DORA prescribes mandatory contractual terms for agreements

Contrary to belief, DORA does not impose rigid contractual templates. Instead, Articles 28 and 30 outline flexible elements to include in agreements.

For example, Article 30 (2)(c) requires coverage on the availability, integrity, and confidentiality of personal data but allows for pre-existing terms in data processing agreements to suffice.

Key points to consider:

  • ICT Providers supporting critical or important functions are subject to specific requirements, but not additional layers of obligations.
  • Critical ICT Providers operate under a distinct framework overseen by the European Supervisory Authorities (ESAs).
  • Future DORA Standard Contractual Clauses (SCCs), if introduced, could streamline negotiations by providing standardised options akin to GDPR SCCs.


Firms and Providers must review their contractual obligations in light of DORA while remaining mindful of accompanying Regulatory Technical Standards (RTS) for practical guidance.


Myth #3: DORA only applies to EU-based entities

DORA’s scope extends beyond the EU, affecting approximately 22,000 EU-based Firms and an estimated 15,000 ICT Providers globally. Any ICT Provider servicing EU Firms, regardless of its location, must comply with DORA provisions.

For UK-based ICT Providers, this creates a dual compliance challenge. They must navigate both DORA and the UK’s framework for critical third parties, established in November 2024 by the FCA, PRA, and Bank of England. UK rules mirror DORA’s requirements, adding an additional layer of operational and reporting obligations for Providers offering services to both UK and EU Firms.


Myth #4: ICT Providers can self-classify as Critical Providers

The classification of an ICT Provider as “Critical” lies solely with the ESAs, not the Providers themselves. This determination, expected to begin in mid-2025, will be based on factors such as:

  • The systemic impact of potential ICT disruptions.
  • The degree of Firms’ reliance on the Provider.
  • The ease of substituting the Provider’s services.

Critical Providers will fall under a dedicated ESA oversight framework, with a lead over seer assigned based on the size and systemic importance of its Firm clients. Non-critical Providers, while not overseen, may still opt into the framework voluntarily.

Myth #5: Non-critical Providers don’t need to prepare for DORA

Even ICT Providers not designated as Critical must be proactive. DORA introduces contractual expectations from Firm clients, necessitating contract amendments, renegotiations, and the inclusion of compliance-related provisions.

Critical Providers, meanwhile, face more extensive obligations, including:

  • Providing detailed assurance and incident notifications to lead overseers.
  • Conducting resilience testing and scenario-based exercises.
  • Maintaining adequate EU business presence for enforceability of penalties.

Sanctions for non-compliance can include daily penalties of up to 1% of global daily turnover and, in severe cases, service suspension or termination requests by the lead overseer.

Conclusion

DORA is more than a compliance challenge; it’s a transformative framework designed to enhance digital operational resilience across the financial sector. For both Firms and ICT Providers, understanding and addressing these myths is crucial to building a robust strategy for navigating DORA’s requirements.

Proactive preparation today will ensure smoother transitions into compliance and unlock the resilience benefits DORA promises for the interconnected financial ecosystem.

How can Delta Capita help?

Delta Capita provides highly qualified expertise and resources to assist you in navigating DORA's regulatory requirements, helping your organisation achieve its resilience objectives.

Our global network of industry specialists can collaborate with your technology risk function, existing operational resilience initiatives, cyber security measures, third-party risk management programmes, to identify and address any shortcomings in your digital and operational resilience maturity.

To learn more, please contact: Karan Kapoor (Global Head of Regulatory Consulting) karan.kapoor@deltacapita.com

Editorial

See more insights from the Delta Capita team

ESG: Is it still relevant?

In the past decade, Environmental, Social, and Governance (ESG) standards have gained prominence as an important framework for evaluating corporate responsibility and long-term sustainability. At its core, ESG holds that companies should not only pursue profitability, but do so with consideration of their impact on the environment, their stakeholders, and their governance practices. ESG champions envision companies with stronger financials in the long term, improved reputations, making meaningful contributions to a better world.

Supporting Loan Operations: A Delta Capita Case Study

Many Loan Operations teams rely heavily on manual processes, which can impact efficiency, increase operational risk, and reduce overall service quality. These inefficiencies can lead to trade breaks, settlement failures, and compliance challenges, particularly in the complex world of wholesale lending.

Enhancing Transaction Reporting: Market Watch 81

In the dynamic world of financial regulation, ensuring the integrity of transaction reporting is essential. As the UK MiFID transaction reporting regime remains under close examination, firms must uphold the highest standards of accuracy and completeness in their reporting practices. This focus on key challenges and areas for improvement is also relevant for firms subject to trade reporting requirements under UK EMIR and SFTR.

What can we help you achieve?

Start something great
arrow_forward

Looking for a career change?

View our opportunities
arrow_forward

What can we help you achieve?

Start something great
arrow_forward

Looking for a career change?

View our opportunities
arrow_forward
We use cookies to improve your experience and deliver personalized content. By using our website, you agree to our Cookie Policy.
Got it