The Digital Operational Resilience Act

DORA is designed to create a regulatory framework through which financial bodies ensure that their digital infrastructures resist and recover from technology related risks and cyber threats. In-scope entities include investment firms, banks and third party ICT providers. Such entities must seek to implement a comprehensive ICT Risk Management Framework and that:-

• ICT Risk sources are identified;
• Preventive and protective measures are duly implemented;
• Unusual activity is recognised immediately;
• Business Policies and recovery plans are established, and that adequate resources/staff are assigned to collect data on the entities’ vulnerability to cyber-attacks; and
• Adequate reporting lines are put in place to ensure the proper disclosure of ICT incidents.

Entities that fall within the scope of DORA are urged to address any gaps and ensure that they meet the 2024 minimum expectations to achieve DORA compliance by the end of the transition period, being the 17^th of January 2025. After the transition period, non-compliance may result in hefty penalties.

N.B. The above is only intended to serve for information purposes and does not constitute legal advice. Should you wish to obtain more information and/or specific advice, you are invited to reach out to our team of qualified professionals who will guide you further.