|

Add a bookmark to get started

Bookmarks info
17 December 20246 minute read

DORA Compliance: key challenges to consider

Written by:Anthony DayDavid Ossack, Sam Subesinghe (Elixirr), Joe Hubback (Elixirr), Daniel Garsin (Elixirr)

The deadline for implementation of the Digital Operational Resiliency Act (DORA) after a two-year implementation period is Friday, 17 January 2024. 

To support your understanding and the direct challenges faced by financial entities in the banking and payments, insurance and investment sectors, DLA Piper and Elixirr will be co-hosting a Q&A webinar on Wednesday, 15 January 2025, to provide regulatory support and practical guidance on DORA implementation.

Registration is now open

 

THE MAIN REQUIREMENTS AND CHALLENGES

DORA impact assessment

DORA (directly) impacts EU regulated financial entities and (indirectly) impacts ICT service providers to those EU regulated financial entities. 

DORA aims to support secure digital transformation and innovation in the financial sector whilst crucially preserving market stability and integrity. For an individual organisation, this means enabling you to be digitally competitive whilst protecting your organisation with a strong and secure technology foundation.

DORA consolidates and standardises operational resilience across the five key pillars of digital operation:

  1. Operational risk management – including the establishment of business continuity and disaster recovery frameworks.
  2. Incident reporting – standardisation of identification, classification, reporting and analysis of incidents.
  3. Digital operational resiliency testing – establishment of proportionate testing capabilities and remediation measures.
  4. ICT third party risk – assessment and mitigation of third party risk, including due diligence and contractual protections in place with third party service providers.
  5. Information sharing – establishment of information sharing channels for threat intelligence.

The key challenges in relation to DORA compliance

We have identified four key areas where financial entities need external support to address DORA compliance gaps:

DORA Challenge #1: Remediation of Contracts with ICT service providers

DORA Chapter V requires financial entities to ensure its contracts with ICT service providers comply with the contractual obligations in DORA.

We have developed strategies and tools to ensure this activity can be carried out in a proportionate and efficient manner. We also have the resources to support and project manage contract remediation activities.

DORA Challenge #2: Digital Operational Resilience Testing & Threat-led Penetration Testing (TLPT)

The activation of testing activities in compliance with DORA might be onerous due to the mandated testing scenarios, coupled with the fact that legacy IT systems might not be adequately equipped to meet the stringent ICT risk management standards required by DORA.

The core DORA testing requirements may require financial entities to adopt a broad range of technical, organisational, and cultural changes to achieve compliance. It is important to design a strategic and appropriately resourced approach to these testing requirements. Regulators will expect to see clear implementation plans for those financial entities that are unable to meet the January deadline for compliance.

DORA Challenge #3: ICT Risk Management Governance

Financial entities are required to demonstrate they have a robust ICT risk management governance structure in place that incorporates, among other requirements, incident response and management, business continuity and data protection.

Financial entities should be guided by the principle of proportionality, recognised by DORA, when designing and implementing ICT risk management frameworks.

DORA Challenge #4: ICT Service Providers

Whilst service providers are not directly in-scope of DORA, to the extent that they provide ICT services to EU regulated financial entities, the service providers will need to make contractual and operational changes in order to enable their clients (EU regulated financial entities) to comply with the requirements under DORA.

 

HOW WE CAN SUPPORT YOU

For strategic planning, advice, guidance and support through each stage of your DORA compliance project, please do not hesitate to contact DLA Piper and Elixirr.

On the basis of advice from DLA Piper as to the application of DORA to your organisation, Elixirr can support with an organisation-wide assessment to identify any critical control gaps, and provide a DORA implementation framework to enable you to make the essential changes required to achieve DORA compliance.

DLA Piper are recognised in all of the main legal directories as the market leader in the outsourcing sector, and in addressing legal and contractual issues associated with such projects. We have in depth and current experience of working on DORA remediation activities, acting on behalf of both service recipients (regulated institutions) and service providers to financial institutions. We understand the business drivers, critical issues and constraints, which enables us to focus upon the true levers for creating successful, lasting arrangements.

Across Europe, our practice is currently advising a number of major financial services clients and service providers on their DORA compliance programmes. In our wider financial services regulatory market experiences, we have also led broader regulatory remediation activities over a number of years, including acting for regulators and conducting remediation projects for major UK, European and global financial institutions.

JLL logo

About Elixirr

Elixirr is a leading challenger consultancy with expertise in cross-industry digital transformation and innovation. In 2024 Elixirr have been recognised as leading management consultants by Forbes, Global Outsourcing 100, FT Management Consultants and Consultancy UK. They are leading several DORA programmes and have a strong understanding of common challenges to devise implementation plans and roadmaps for achieving compliance throughout 2025. Their accelerated approach enables you to understand the gaps to compliance and remediate those quickly and effectively.

Elixirr’s DORA Controls Catalogue

The Elixirr DORA controls catalogue is a tool designed to simplify and manage all of the requirements outlined in DORA into a digestible format, categorised by context, control and attributes. Each requirement is assigned a unique ID, ensuring efficient tracking and alignment with best practice (including, for example, under the EU NIS 2 Directive). The catalogue extracts and organises key information from DORA and also includes a compliance worksheet to track adherence across different functions. This facilitates clear compliance management to promote consistency of implementation across your business functions.

To hear more from the team in how they can help you navigate DORA, do join our Q&A webinar on the 15 January.

Related insights

image
Navigating the EU Digital Decade
Underpinning the EU’s ten year digital transformation plan with a raft of new data, digital and cyber regulation.
image
DORA (Digital Operational Resilience Act)
DORA aims to establish a harmonized and streamlined digital operational resilience framework across the EU financial sector. It will also establish a new oversight framework for critical ICT third-party service providers that provide ICT services to financial entities.
Print

Related capabilities

Technology Sourcing and Outsourcing
Legal noticesPrivacy policyCookie policyFraud AlertSitemap

DLA Piper is a global law firm operating through various separate and distinct legal entities. For further information about these entities and DLA Piper's structure, please refer to the Legal Notices page of this website. All rights reserved. Attorney advertising.

© 2024 DLA Piper