The Digital Operational Resilience Act (DORA): the legal implications

The EU’s Digital Operational Resilience Act (DORA) comes into force in January 2025. DORA is a wide ranging piece of legislation, aimed at increasing the resilience of the EU’s financial services sector by ensuring firms are able to withstand, respond to, and recover from, all types of information and communications technology (ICT) related disruptions and threats. Any UK firms that provide regulated serviced within the EU will be subject to the regulation.

Implementing the requirements under DORA will require a strategic shift and significant preparation. As well as immediate and ongoing obligations, firms will need to strengthen their resilience to unexpected digital disruptions in a dynamic way that is able to respond to the evolution of threats and vulnerabilities.

DORA implementation will require firms to look at all areas of their business; from strategy, governance and reporting lines, to product design, operational policies and procedures and personnel management. However successful implementation will also necessitate firms going beyond simply revising existing policies and contracts; senior level sponsorship will be vital, and firms will need to ensure they have done all they can to embed the specific changes required by the regime.

This is likely to be a significant task. Juggling a project of this scale alongside an already heavy ‘business as usual’ load isn’t easy. We can help you to navigate the new regulatory framework, from planning to implementation. We can also help you think about conduct risk, and how to shape the right culture for good customer outcomes and compliance.