The Digital Operational Resilience Act will come into effect on January 17, 2025. This EU regulation aims at strengthening the IT security of financial entities such as banks, insurance companies, and investment firms. It ensures that the financial sector in Europe remains resilient in the event of severe operational disruptions. Financial institutions that fall within the scope of this regulation need to step up their digital resilience, be ready for future adjustments and set a strong monitoring strategy to maintain compliance.
The end question is, how can institutions prepare for DORA compliance? In this article we dig into the scope of the regulation and give practical examples of how technology can help legal teams pave the way.
About DORA
For years now, European bodies have actively supported the financial sector’s action against Information and Communication Technology (ICT) threats.
The European Banking Authority (EBA) has been addressing the issue and published its Guidelines on ICT and Security Risk Management in 2019.
At the same time, the European Securities and Markets Authority (ESMA) has been working with national competent authorities on this and related topics such as enhanced investor protection, orderly markets and financial stability.
What’s new?
DORA extends the scope, nature and approach of existing texts and guidelines to ensure enhanced resilience in the face of growing risks.
- Scope
The new regulation applies to a wider range of financial institutions and their critical third-party service providers (beyond just ICT service providers), covering 20 types of financial entities (FR) and a more comprehensive list of ICTs.
- Nature
Unlike previous efforts, recommendations and guidelines by EBA and ESMA, DORA is a legally binding regulation with clearly defined requirements and deadlines for compliance, forcing financial entities to act and improve resilience to potential security risks.
- Approach
The approach is more comprehensive, addressing the full lifecycle of ICT services in relation to financial institutions.
What are the goals?
As the financial landscape changes, so must legislation. DORA aims to:
- Address the increasing dependency of the financial sector on technology and technology companies.
- Mitigate the risk of cyber-attacks and incidents in the financial sector as the number and gravity of threats increases constantly.
- Ensure stable and reliable financial services in the broader economy.
Who is affected?
The scope of financial entities affected by the DORA regulations has been extended as compared to previous texts and guidelines. It includes banks, insurance companies and investment firms of a certain size. ICT third-party service providers are also impacted, although differently, as they play a major role in cybersecurity.
Key responsibilities for financial entities to be DORA compliant
The Digital Operational Resilience Act (DORA) sets out several key responsibilities for financial entities to ensure they can withstand and recover from ICT-related disruptions. Here are the main responsibilities:
Risk Management
Financial entities must establish and maintain robust digital operational resilience frameworks. This includes comprehensive policies to manage ICT risks throughout the lifecycle of ICT systems, from development to decommissioning.
Incident Reporting
Entities are required to promptly report significant cyber incidents to their regulatory authorities. This ensures timely information flow, crucial for managing systemic risks and enhancing overall resilience.
Digital Operational Resilience Testing
Regular testing of digital resilience is mandatory. This includes vulnerability assessments, penetration testing, and scenario-based exercises to assess the effectiveness of preventive, detection, response, and recovery capabilities.
Third-Party Risk Management
Financial entities must manage risks associated with third-party ICT service providers. This involves thorough due diligence before entering agreements and continuous monitoring of service providers’ performance and compliance.
Governance
Entities must implement a strong governance framework to oversee ICT risk management and resilience activities. This includes clear roles and responsibilities, regular reviews, and updates to strategies and policies.
How to Get DORA-Ready
DORA will apply as of January 17, 2025. You have probably started, but now it’s high time to wrap that up.
Identify your ICT dependencies
The first big step is to create a detailed list of your ICT systems and providers and identify those who fall within DORA regulation. The Digital Operational Resilience ACT includes a list of providers to help with identification. The ICT provider list is final and closed, if you don’t see an ICT provider matching the descriptions of DORA then there’s no further preparation to do with those.
How? You can use a CLM tool to find the contracts with ICT providers. These documents may contain clauses that show whether an ICT provider is subject to DORA regulation. In a matter of minutes, you can search applicable clauses and generate a list of your ICT providers potentially concerned. AI can be extremely useful here. It simplifies and speeds up the search while ensuring that no contractor is left out.
Annex III of the Draft Implementing Technical Standards (ITS) for the Digital Operational Resilience Act (DORA) contains the full list of considered ICT services.
Evaluate critical or important functions
DORA defines a series of critical or important functions that can impact the performance, stability, continuity of Financial Entities services and obstruct their possibility to comply with existing mandatory regulations.
Once you’ve identified your ICTs you must assess the critical or important functions and roll out a testing plan to comply with the obligations of the regulation.
How? The CLM tool can be leveraged to look for certain functions or services offered by your ICT providers and identify the need and scope of testing. This task can be executed quickly if you’re using a CLM tool with powerful AI features. It enables you to search your contracts for relevant key words and get answers within seconds.
Establish risk assessments of your ICT service providers
To evaluate potential risks, you need a robust tracking system allowing you to identify past incidents and map them in a detailed manner. You must also ensure there’s an efficient way to create and share incident reports with your board of directors and regulatory bodies. You are also required to carry out ongoing tests and monitoring to mitigate future risks and threats.
How? The risk assessment is divided into two phases: assessment of past threats and detailed mapping, and continuous monitoring of potential threats and security breaches. Both require efficient reporting and analysis features to facilitate auditing and compliance checks. You can leverage your legal entity tool if it offers report-building capacities. Having a centralized repository facilitates communication with regulatory bodies. It is also recommended to implement
real-time threat detection technologies.
Implement necessary changes
You may need to implement changes to become DORA compliant. From a practical point of view this means you need a dedicated team and allocate the necessary resources. Ensure external audits have been conducted and internal processes regarding testing, tracking and mapping are in place by the beginning of 2025.
Using Corporate Governance Tools to Facilitate DORA Compliance
Legal tech tools like Contract Lifecycle Management (CLM) and Entity Legal Management (ELM) platforms provide centralized oversight, enabling real-time tracking of compliance activities, improved risk management, and seamless reporting to authorities. These solutions simplify and streamline compliance processes, making them indispensable for organizations navigating DORA requirements. On the other hand, failing to adopt specialized solutions for DORA compliance exposes financial organizations to unnecessary risks and inefficiencies. Without these tools, CxOs face challenges such as fragmented data management, manual processes prone to errors, and delays in responding to regulatory requirements.
Below, we outline three practical use cases demonstrating how legal tech can support DORA requirements.
1. Mapping ICT Service Providers and Critical or Important Functions
The first step toward DORA compliance involves identifying ICT service providers performing critical or important functions in your ecosystem. A Contract Lifecycle Management (CLM) tool is invaluable in speeding up this process—especially when enhanced by AI-powered features.
How:
- Advanced Search Capabilities: Use the platform’s search engine to identify contracts with specific clauses, such as audit rights or ICT service provider agreements, which are essential under DORA.
- Build reports: Create filters to isolate relevant agreements, like software licenses or SaaS contracts. You can refine searches further by adding parameters to locate subcontractor-related clauses.
- AI-Powered Clause Extraction: Even if clauses aren’t pre-tagged, AI can identify relevant terms, such as those tied to country-specific regulations (e.g., ACPR clauses in France). Capture all DORA-required data, including discovery dates, affected institutions, and incident categorizations (major vs. minor).
Within minutes, you can generate a list of ICT providers, analyze their compliance clauses, and export this data for further review. AI-enabled clause libraries can also store all contract terms relevant to DORA, ensuring accuracy and easy access when dealing with third-party requirements.
2. Generating Incident Reports and Effectively Communicating with Relevant Parties
DORA mandates timely reporting of ICT-related incidents, no matter what their size is. Major incidents must be reported as soon as four hours—and no later than 24 hours—after being classified as critical (source: Taylor Wessing). Reports must be detailed, covering root causes, affected systems, and involved parties.
An Entity Legal Management (ELM) platform simplifies incident tracking and ensures effective communication with stakeholders.
How:
Customizable Boards: Use tailored dashboards to track, document, and manage ICT incidents. For example, if a cloud provider suffers a breach, input detailed descriptions such as affected systems, root causes, and parties involved.
Regulatory-Ready Fields: Capture all DORA-required data, including discovery dates, affected institutions, and incident categorizations (major vs. minor).
Activity Feed: Maintain a real-time activity log to monitor incident progress, document actions, and streamline updates to stakeholders and regulators.
Integrated Reports: Generate comprehensive incident reports that are easy to share with regulatory bodies or internal committees.
An ELM tool ensures transparency and facilitates communication, offering real-time updates while supporting regulatory compliance.
3. Maintaining Strong Governance Processes
Governance lies at the core of DORA compliance, requiring financial entities to formalize oversight structures and establish clear communication methods among necessary parties. Board members and CxOs are highly involved in this process, effective communication between them and clear tracking of tasks are essential. A robust Board portal tool will help track the status of DORA-related activities (incidents, pending contractual updates) that relevant parties have been discussing and maintain a clear audit trail.
How:
Board Portals: Create DORA-specific committees with predefined templates for agendas, attendance tracking, and decision logs, that respond specifically to those regulatory requirements.
Incident Review and Decision Tracking: Present incident updates, review key reports, and document decisions taken by committees.
Synchronization with the Board: Ensure alignment between DORA committees and board-level discussions by linking decisions and agendas.
Minutes and Action Plans: Record meeting minutes, decisions, and assigned tasks, storing them for future reference to keep track of pending actions or upcoming changes related to DORA.
A centralized platform enhances governance by improving transparency, reducing administrative burdens, and keeping all stakeholders engaged and accountable.
Ready?
DORA introduces new regulatory challenges for financial entities and ICT providers, both used to operate in complex environments. As regulations evolve, so do the technologies that support compliance efforts. For legal teams and C-suite executives, leveraging the right tools is essential to attain compliance requirements and save time to focus their energy on strategy and in aligning internal efforts with external parties.
DiliTrust Governance provides the support teams need to meet compliance requirements effectively. Discover how our solution can ease your operations, book a demo with us today.
Ready for DORA?
Rewatch or discover our webinar on DORA, covering the principles of this new regulatory framework and sharing actionable insights on getting ready to be DORA compliant.
