EU negotiators have now reached a full technical agreement on the DORA package. A few months of administrative process are left before the DORA will be published in the EU Official Journal (OJ)[1], but the full text of the agreement has now been published by the European Parliament and Financial Services firms need to begin assessing what it means for them.

Our view is that the DORA is a “game changer” that will push Financial Services firms to fully understand how their ICT, operational resilience, cyber and TPRM practices affect the resilience of their most critical functions as well as develop entirely new operational resilience capabilities.

Firms will face a relatively tight 24-month implementation period in order to do this. The implementation period will begin 20 days after OJ publication (October/November this year). That means that, by Q4 2024, the relevant Financial Services supervisors will expect firms to be in full compliance with all of the DORA’s new requirements, including how those requirements are elaborated through secondary rulemaking by the European Supervisory Authorities (ESAs).

Our report explores the legislation in four parts. Firstly, we outline the key points of the Act. Secondly, we examine what the final DORA agreement means for firms, with specific focus on its five pillars. Thirdly, we consider the implications of incoming technical standards. Fourthly, we provide insight into how financial services firms should engage with the Act.

Watch the video below to learn more about DORA.