Preparing for the Digital Operational Resilience Act (“DORA”): Key Steps for Payments and Fintech Clients
The Digital Operational Resilience Act (“DORA”), an EU regulation designed to bolster the resilience of financial entities against Information and Communications Technology (“ICT”) risks, entered into force on January 16, 2023, and will become fully applicable on January 17, 2025. DORA applies to a wide range of financial entities, including payment services and fintech companies, with a primary focus on ensuring that the entire financial sector in the EU can continue to operate effectively in the face of increasingly complex ICT threats and disruptions.
As the enforcement date approaches, it is crucial for payments and fintech businesses to take proactive steps to ensure compliance and strengthen their operational resilience. Below are seven key actions you should take to prepare for DORA.
7 Key Steps to Prepare for DORA’s Enforcement:
- Conduct a Comprehensive ICT Risk Assessment
Assess your ICT systems, infrastructures, and operational processes to identify vulnerabilities. Understanding the scope of potential threats will allow you to design a targeted resilience strategy that meets DORA’s requirements. - Establish an ICT Risk Management Framework
Implement a robust ICT risk management framework to monitor, identify, and mitigate ICT-related risks. This framework should align with your broader operational risk management strategies and be tailored to the scale and complexity of your business. - Develop and Implement Incident Response Plans
Ensure that you have detailed and actionable ICT-related incident response plans in place. These plans must cover detection, reporting, and remediation of incidents in compliance with DORA’s notification timelines. Establish clear protocols for communication with regulatory bodies during ICT disruptions. - Enhance Third-Party Risk Management
DORA imposes strict requirements for managing third-party ICT service providers. Conduct thorough due diligence on your ICT service providers, ensure that contracts with third parties address operational resilience, and monitor their performance regularly. - Prepare for Threat-Led Penetration Testing (“TLPT”)
Payments and fintech companies deemed significant by regulators must undergo TLPT every three years to simulate cyberattacks. Prepare your systems and teams for these stress tests by engaging in routine vulnerability assessments and internal testing. - Establish a Reporting and Communication Protocol
DORA mandates that ICT-related incidents be reported to regulatory authorities within specific time frames. Set up clear internal communication protocols to ensure swift and accurate reporting of incidents to the relevant authorities. - Training and Awareness
DORA places a strong emphasis on ensuring that staff are adequately trained on ICT risk management. Provide ongoing training and awareness programs across all levels of your organization to ensure that employees understand their role in maintaining operational resilience.
What Is DORA?
DORA forms part of the EU’s Digital Finance Strategy, which seeks to modernize the financial sector while safeguarding its stability in an increasingly digital world. Its objective is to create a unified regulatory framework that ensures financial institutions, including banks, payment service providers, insurance companies, and fintech firms, can continue to provide essential services even in the face of severe ICT incidents, such as cyberattacks or system failures. The regulation recognizes the growing importance of digital services in the financial sector and the increasing risks associated with ICT reliance.
Scope and Applicability
DORA applies to a wide range of financial entities, including traditional institutions such as banks and insurance companies, as well as newer entrants like fintechs and payment service providers. It also applies to third-party ICT providers, which deliver critical services to these financial institutions. The regulation seeks to standardize the approach to operational resilience across the EU, reducing fragmentation and ensuring that all financial players adhere to the same high standards.
Timeline for Implementation
As financial entities have until January 17, 2025, to comply, companies have a two-year period to develop, refine, and implement their ICT risk management strategies and ensure that their systems, processes, and governance frameworks meet the regulatory requirements.
Conclusion
As the financial sector becomes increasingly digital, regulations such as DORA are essential to safeguarding operational continuity. Payments and fintech companies must be proactive in addressing the regulation’s requirements to minimize risks and ensure compliance. By following the outlined steps, you can build a more resilient organization capable of withstanding future ICT threats.
For further guidance on how to comply with DORA or to discuss your specific operational resilience strategies, please contact AGG partners and Emerging Technologies co-chairs Allison Raley and Jackie Cooney.
- Allison E. Raley
Partner
- Jacqueline W. Cooney
Partner