DORA - Regulatory Expectations & Implementation Checks for Financial Services

Introduction

DORA, or the Digital Operational Resilience Act, is a piece of EU legislation that will impact a huge range of financial services companies and beyond. As the first attempt to harmonise ICT risk management requirements at an EU-level, it contains detailed lists of requirements, rather than being principle-based, all aimed at boosting the operational and security capabilities of in-scope firms.

The scope covers all lenders, insurers, investment and fund managers as well as payment institutions and statutory auditors but goes further - it also regulates critical third-party ICT providers.

While this is EU regulation, any UK based firms operating in the EU, or outsourcing ICT activity to EU firms may either find themselves in scope or at least see changing capability in their third-party service providers. This will have a crossover into UK regulatory expectations and in particular to those firms subject to the Consumer Duty, where you are expected to act to avoid foreseeable harm - ICT-related incidents are clearly foreseeable.

As such this session is relevant to a broad range of firms and many different roles within those firms, from the traditional risk and compliance roles to relevant operations, technology, third-party vendor management and oversight functions too. We initially focus on the DORA requirements in detail and later in the day consider how to implement them, alongside broader operational resilience measures more specific to the UK regulatory expectations.

While the final detail of regulatory expectations is still to be confirmed, via a second tranche of Implementation and Regulatory Technical Standards (ITS / RTS) we know following the adoption of DORA in November 2022 what the European regulation is aiming to achieve and the outcomes expected. With full implementation in January 2025 and the requisite upgrade timelines for relevant systems and controls, firms should begin building a nimble implementation programme now, which drives us to full compliance by the end of 2024 while incorporating additional regulatory detail.

What You Will Learn

This course will cover the following:

• Why is DORA needed now?
• Drivers behind the regulation and forward-looking objectives
• Governance, timelines, and milestones
• Pillar 1 - ICT risk management
• Pillar 2 - ICT-related incident reporting
• Pillar 3 - Digital operational resilience testing
• Pillar 4 - ICT third-party risk
• Pillar 5 - Information sharing
• Reporting and evidencing ongoing oversight
• Practical steps to consider when reviewing your implementation plan