DORA is the EU's most significant regulatory initiative on cyber security and operational resilience, affecting most financial entities. These entities must comply with the regulation by January 2025. The initiative aims to create a single set of regulatory and supervisory rules for digital resilience across all Member States. For Luxembourg-based financial entities, DORA will have an extensive impact on the organization beyond Information and Communication Technology (ICT). The rules differentiate between outsourcing critical or important business processes (BPO) and "pure" ICT outsourcing, requiring organizations to have clear control and monitoring processes for outsourced activities. Additionally, DORA reinforces the European Banking Authority's (EBA) Guidelines on ICT and security risk management, emphasizing executive-level accountability for regulatory compliance, change management, critical outsourcing control and monitoring processes, and business continuity management (BCM).
The scope of DORA covers financial entities operating in the EU, including credit institutions, payment institutions, investment firms, electronic money institutions, crypto-asset service providers, central securities depositories, managers of alternative investment funds, management companies, and insurance and reinsurance undertakings.
As the regulation will become applicable on 17 January 2025, all in-scope entities have 24 months from the publication in the EU Official Journal (27 December 2022) to comply with all requirements. In order to ensure compliance, it is essential that all relevant stakeholders and the management body will have the ultimate responsibility for complying with DORA.
A set of Regulatory and Implementing Technical Standards (RTS and ITS) will be issued in the upcoming months to facilitate the implementation of the DORA. In this context, we recommend firms to conduct a DORA gap analysis and start the design of an enhanced operational resilience framework as soon as possible.
Avantage Reply can help financial institutions comply with the DORA regulatory requirements by leveraging our expertise in
IT risk management, outsourcing, operational risk and operational resilience. Our teams have a successful track record in supporting clients with risk assessments of their IT processes and implementing controls in order to mitigate risks. We have helped a multitude of clients in understanding operational resilience regulatory requirements and implementing them by adapting internal processes and procedures and/or developing new solutions to achieve full compliance.
More information about outsourcing regulatory developments at the European level here