Digital Operational Resilience Act (DORA) compliance checklist

WHAT IS DORA? 

The Digital Operational Resilience Act (DORA) was established to address the growing reliance on digital systems within the financial sector and the related risks to the stability of the financial system. Although DORA was introduced and became effective on January 16, 2023, it is set to come into full force on January 17, 2025, which mandates a 24-month period following its publication in the Official Journal of the EU.

DORA covers a wide range of financial services entities, including:

• Banks
• Pension funds
• Insurance companies
• Payment institutions
• Investment companies

Additionally, it extends to third-party service providers that deliver ICT systems and services to financial businesses, such as cloud service providers and data centres. This comprehensive scope ensures that the entire financial ecosystem adheres to stringent digital resilience standards, safeguarding against digital disruptions and cyber threats.

The Digital Operational Resilience Act (DORA) establishes a comprehensive regulatory framework aimed at enhancing the digital operational resilience of financial entities within the European Union. Here’s a summary of its key points and a checklist for compliance:

DORA COMPLIANCE CHECKLIST

1. Understanding and awareness of DORA 

• Read and understand the full text of the Digital Operational Resilience Act.
• Keep updated with any guidelines or clarifications from regulatory bodies.
• Distribute relevant DORA documentation to key stakeholders.

2. Assessment and gap analysis 

• Conduct a thorough assessment of current digital operational resilience capabilities.
• Perform a gap analysis to identify deficiencies in existing practices.
• Evaluate ICT-related risks, including those from third-party providers.

3. ICT risk management framework 

• Develop and document a comprehensive ICT risk management framework.
• Ensure the framework covers risk identification, assessment, mitigation, and monitoring.
• Establish clear roles and responsibilities for ICT risk management.

4. Incident reporting procedures

• Establish procedures for identifying and reporting ICT-related incidents.
• Ensure compliance with DORA’s incident reporting timelines and requirements.
• Implement a system for documenting and managing incidents.

5. Operational resilience testing and DORA 

• Develop a schedule for regular resilience testing, including:
  • Vulnerability assessments
  • Penetration testing
  • Continuity exercises
• Document and address findings from resilience tests.
• Ensure tests cover all critical ICT systems and tools.

6. Third-party risk management under DORA 

• Review and strengthen contracts with third-party providers to ensure DORA compliance.
• Develop a monitoring and reporting system for third-party risks.
• Conduct due diligence and regular assessments of third-party providers.

7. Information sharing 

• Participate in industry information-sharing initiatives.
• Establish internal processes for sharing information about cyber threats and vulnerabilities.
• Implement a communication strategy for disseminating shared information.

8. Policy and procedure development 

• Update or develop policies and procedures to align with DORA requirements.
• Ensure policies cover all aspects of digital operational resilience, including:
  • Risk management
  • Incident reporting
  • Testing and monitoring
  • Third-party management
• Disseminate policies to all relevant staff and ensure awareness.

9. Dora training and education 

• Develop training programs to educate staff on DORA requirements and their roles.
• Conduct regular training sessions and updates.
• Include DORA compliance in new employee onboarding processes.

10. Governance and oversight 

• Establish a governance structure to oversee DORA compliance.
• Assign responsibilities and ensure accountability at all levels.
• Regularly review and update governance practices.

11. Monitoring and review with regard to DORA 

• Conduct regular reviews and audits of the digital operational resilience framework.
• Continuously improve based on findings and evolving regulatory requirements.
• Implement a system for tracking compliance progress.

12. Engagement with regulators and industry bodies 

• Maintain open communication with relevant regulatory bodies.
• Seek clarification and guidance as needed.
• Collaborate with other financial institutions and industry bodies to share insights and best practices.

The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.