DORA

DORA - Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) is a regulation of the European Union (EU) that sets detailed requirements for the operational resilience of the Information and Communication Technology (ICT) infrastructure of financial entities, including banks, pension funds and asset managers. It entered into force on January 16, 2023, and is effective from January 17, 2025. The objective of this regulation is to strengthen the digital operational resilience of the financial sector against cyber-attacks and disruptions.

Scope

DORA applies to 20 types of financial entities, including their ICT third-party service providers. Key areas under DORA are governance on ICT risk management, third-party risk management, digital operational resilience testing, and incident reporting. It is important to note that the financial entity which has outsourced its ICT operations is ultimately responsible. This applies also to the ICT operational resilience of its third-party providers. If you have been designated as a critical third party by the National Competent Authorities (NCAs) in your country, the DORA regulation lists out some special compliance requirements for you. DORA recommends taking the principle of proportionality into account while designing a compliance strategy. Are you classified as a micro financial institution? You are still required to comply to DORA; however, the extent of compliance varies for you according to the size of your organization.

Critical Third Parties

DORA recognizes the importance of big or critical players in the European financial system and therefore has a separate section dedicated to reinforcing the operational resilience and supervision of such critical third parties. The 'criticality' of a third-party stems from the fact that other financial institutions are dependent on it and its operational failure can result in a domino effect like the 2008 financial crisis and subsequent recession. With the increasing globalization and interdependence, the potential for such domino effects increases. An example of such a critical third party can be big European banks such as ING or BNP Paribus. Another example of the critical third-party provider can be pan-European third-party cloud service providers to financial institutions, like Google or Microsoft.

Harmonization

To ensure an integrated effort for strengthening the European financial system, DORA strives for consistent operational resilience rules across EU member states. On a national level, according to DORA, NCAs are responsible for such harmonization. For example, in the Netherlands these NCAs can be Netherlands Authority of Financial Markets (AFM) and the Dutch National Bank (DNB), who will supervise and guide the Dutch financial industry. NCAs are also responsible for formulating such clear guidelines for DORA compliance, for example, templates for incident registers or third-party ICT provider registers.

Conclusion

DORA comes in full force from January 17, 2025. The European financial institutions therefore have limited time for understanding DORA and analyzing its implications on their risk frameworks and day-to-day operations. Not to mention that non-compliance with DORA after the said date can result in fines and other strict measures from NCAs. Are you not yet DORA compliant? We are here to help and guide you in this compliance process so that you can focus on your core business.

Mylettes Regulatory Compliance Solutions

With years of hands-on experience in implementation and operational processes, Mylette offers various products for DORA compliance solutions. We believe that every client is special and needs a unique approach, therefore these compliance solutions can be tailored to your needs. From a structured start guidance to complete DORA compliance and implementation, these solutions will help financial institutions to navigate the complex regulatory landscape and enhance their digital resilience to be at par with DORA. Don’t forget to check out ORCA (Operational Risk & Control Application), our non-financial risk management platform that helps you take charge of compliance and other non-financial risks.

Would you like to know more about our possibilities? Then get in contact with us.

Regulation cases

Bank Data Retrieval Portal

Solutions, Expert Services

For a number of banks in the Netherlands, in cooperation with the Ministry of Justice and Security, Mylette is building and implementing a solution for connection to the Bank Data Referral Portal.

SEPA Transition

Business Analysis, Expert Services

For an IT service provider for the financial industry, Mylette provided advice on SEPA driven software adjustments and business processes. These adjustments have been incorporated in the products of the IT service provider to banks and brokers.

Dashboard Operational Risk

Solutions, Business Analysis

For a large pension fund company, Mylette Solutions provided an operational risk dashboard. With this dashboard, the management's grip on daily business and transitions in the field of compliance and regulations has greatly improved.

ILAAP Implementation

Project Management, Architecture, Solutions Selection

For a large Dutch Bank, Mylette led the implementation of ILAAP in cash management and payments for the bank. Within the project, Mylette also represented enterprise architecture and played a leading role in the solution selection process.

AIFMD Compliance

Project Management, Expert Services, Architecture

A Dutch asset manager sought support in the development and implementation of AIFMD reports. The assignment resulted in a permanent advisory function on compliance in which EMIR reports and activities are also included.

EMIR Compliance

Project Management, Business Analysis

Mylette was in charge of a Dutch bank's project, which provided the transition to central clearing and EMIR reporting. Mylette guided the design and implementation methods based on best practices.