DIGITAL OPERATIONAL RESILIENCE ACT (DORA)

The Digital Operational Resilience Act (DORA) is designed to enhance operational resilience, reduce IT threats and boost the ability of financial companies in the EU to prevent and deal with ICT related incidents. It comes into force on 17th January 2025, as part of the EU's efforts to regulate the digital sector.

DORA applies to all financial institutions in the EU, but its remit covers any UK financial firm that works with EU customers or does business with EU financial firms. For some companies, it will require additional IT security measures – even if they already adhere to frameworks including ISO 27001 or COBIT. 

UNDERSTANDING DORA: WHAT UK BUSINESSES NEED TO KNOW

DORA applies to financial institutions including (but not limited to) credit and payment institutions, investment firms, insurance companies and intermediaries, pension funds and trading platforms. 
The Regulation sets a regulatory framework on digital operational resilience, encompassing IT risk management, mandatory incident reporting, documentation of test plans, third-party risk management, plus training and governance. Compliance will ensure firms have the correct systems in place to withstand, respond to and recover from all types of ICT-related disruptions and threats, including through third parties.

Obligations for impacted companies can be roughly divided into five groups:

  • (ICT) Risk management
  • Digital operational resilience testing
  • Managing security of IT service providers (ICT Third-party risk)
  • (ICT) Incident management (classification and reporting)
  • Information exchange (e.g. exchange of information on cyber threats)
DOWNLOAD OUR DORA PRACTICAL GUIDE

THE IMPORTANCE OF DORA COMPLIANCE FOR UK ORGANISATIONS

Although DORA is an EU regulation, it impacts third-party ICT providers too. DORA only allows companies to enter into contract with providers that meet the information security requirements as set out in the framework. This includes UK-based providers of cloud services, network services, hardware services and ICT consulting, when supplying services to EU financial companies. 

DORA is a complex regulation, which increases obligations for many organisations. A hasty or uninformed approach may not only leave your organisation vulnerable, but also put you at risk of legal and financial penalties.

Any breach of requirements could lead to a fine of up to 2% of total annual worldwide turnover, or up to 1% of the company's average daily turnover worldwide.

DORA COMPLIANCE SERVICES FROM BUREAU VERITAS

Our experts at Secura, a Bureau Veritas company, offer a range of services to support compliance with DORA, wherever you are on your cyber security journey.

  • DORA boardroom training

    DORA requires directors to undergo training to demonstrate effective governance around cyber security issues. We have developed DORA boardroom training in collaboration with De Clercq Lawyers, providing insight into the risk management measures that organisations must take as a minimum based on DORA. This one day course can be delivered at a location of your choice. 

  • DORA gap assessment

    Our specialist team can perform a DORA gap assessment, providing a detailed overview of your current security maturity level and the steps you need to take to become DORA compliant. This service is based on our proven Security Maturity Assessment.

  • DORA implementation services

    We also offer a range of services to help implement DORA for your organisation. The specific scope of our solution will depend on the outcome of your DORA gap analysis, but may include our CyberCare security service, security management, awareness and behaviour support, incident response and vendor security services.

DOWNLOAD OUR DORA SERVICES BROCHURE

STEPS TO ACHIEVE DORA COMPLIANCE IN THE UK

If you already know your organisation is subject to DORA or has EU-based clients that will fall under the regulation, it is important to start preparing for compliance early. Speak to our cyber security experts to understand more about initial DORA assessment and planning, as well as how to implement the strategies and solutions you need to manage risk and achieve compliance. 
 

WHAT ARE THE BENEFITS OF DORA COMPLIANCE?

Compliance is mandatory for some organisations, but compliance with DORA will also deliver other benefits, including: 

  • Improved cyber resilience and better planning for ICT threats
  • Enhanced understanding of ICT risks across the organisation
  • Greater control of ICT supply chains
  • Enhanced incident reporting and information sharing
     

WHY CHOOSE BUREAU VERITAS FOR YOUR DORA COMPLIANCE NEEDS? 

  • Experienced team with decades of governance risk and compliance experience
  • A range of services specifically developed to meet your DORA needs and help you become DORA compliant
  • Cybersecurity experts in the field of people, processes and technology
  • A single point of contact and proven partnership approach
  • A clear roadmap to become and stay DORA compliant
  • Backed by the global expertise of Bureau Veritas, a world leader in testing, inspection and certification services

  • HOW DOES DORA RELATE TO EXISTING FRAMEWORKS SUCH AS ISO 27001?

    Existing risk frameworks, such as NIST and ISO 27001 provide guidance on how to comply with various laws, through processes such as training staff, performing audits and tests, using incident management and supply chain risk management. These kinds of risk frameworks are a good addition to the DORA, but complying with these standards does not mean that you automatically comply with DORA, which is a regulation in its own right.

  • HOW WILL DORA CHANGE INCIDENT RESPONSE REQUIREMENTS?

    Incident management is a critical aspect of ensuring security and continuity of services. 
    Under DORA, companies must have plans in place to communicate with staff, external stakeholders, the media and clients, in the event of an incident, adhering to strict timelines. Internal escalation procedures must also be established. 

    In addition, major incidents must be reported to relevant senior management and “the management body”, with an explanation of the impact, response, and additional controls to be established as a result of the incident. 
     

  • WHAT IS THE DORA TIMELINE?

    The first batch of DORA policy products were published on 17th January 2024 and DORA applies from 17th January 2025. Additional Regulatory Standards (RTS) and Implementing Technical Standards (ITS) have (First batch January 17th 2024) and are (Second batch 17 July 2024) being published.

GET IN TOUCH WITH A MEMBER OF THE TEAM BY SUBMITTING YOUR DETAILS BELOW:

Please select country prefix
Enquiring about
If known (Approx.)
If known (Approx.)
Maximum 3 files.
2 MB limit.
Allowed types: pdf, doc, docx, ppt, pptx, xls, xlsx, jpg, png.
I have read and understood the terms and conditions of {Personal data protection policy}.
Your personal data is collected by Bureau Veritas UK, having its registered office at Suite 206, Fort Dunlop, Fort Parkway, Birmingham B24 9FD, and is subject to computer processing in order to respond to questions from the media about the Group or its subsidiaries on the basis of your consent, and to respond to customer complaints, on the basis of the service contract that you have entered into with a subsidiary of Bureau Veritas.

Your personal data is intended for the Corporate Communication department or the Quality, Health & Safety and Environment department of the Bureau Veritas Group, depending on the nature of your request, and for their service providers, providing consulting and technical services as well as for the Bureau Veritas IT department. Your personal data will be retained for a period of one year for media requests and three years for customer complaints from your request. Your personal data can be transferred outside the European Union, in countries where Bureau Veritas subsidiaries operate, on the basis of standard contractual clauses established by the European Commission, available on request, by submitting a query here.

Fields marked with an asterisk must be filled in. Otherwise, Bureau Veritas would not be able to answer your questions and/or complaints. In accordance with the Data Protection Act 2018 and the General Data Protection Regulation of 27 April 2016, you have the right to access, rectify and erase any personal data concerning you, as well as the right to limit the processing, the right to oppose to the processing or the right to portability of your personal data. You have the right to withdraw your consent at any time by submitting a query here and unchecking the box dedicated to the collection of your consent. You can exercise your rights online to lodge a complaint to the Information Commissioner’s Office.