What is DORA?

The Digital Operational Resilience Act (DORA) aims to establish a clear foundation for security and operational resilience in the financial services sector for European Union (EU) financial regulators and supervisors, while also aligning with other EU measures on cyber security and data.

DORA establishes a framework for digital operational resilience in the finance sector by outlining five key pillars, which include:

• Information and communication technology (ICT) governance and ICT risk management
• Recording and reporting system for serious ICT incidents
• Testing digital operational resilience
• ICT third party risk management
• Information and intelligence sharing

Who is in scope?

With few exceptions, DORA applies to the following entities (referred to as 'in-scope firms')

• All financial entities established or operating in the EU
• Certain critical ICT third party service providers of financial entities

What is the timeline for DORA?

DORA entered into force on 16 January 2023 and in-scope firms must be compliant from January 2025.

The second set of standards, which will cover several matters including the subcontracting of critical or important ICT services and threat led penetration testing, were submitted by 17 July 2024 following a consultation that closed earlier this year.

• The first set of technical standards (Regulatory Technical Standards and Implementing Technical Standards), which cover the risk management frameworks. The criteria for the classification of IT incidents and third party risk management, were submitted to the European Commission on 17 January 2024 and subsequently adopted.
• The second set of standards, which will cover a number of matters including the subcontracting of critical or important ICT services and threat led penetration testing, were submitted by 17 July 2024 following a consultation that closed earlier this year.

What Broadridge can do to support you to achieve DORA compliance?

One of the most important aspects of Broadridge’s role in the financial services industry is bringing together the client community to collectively solve regulatory challenges and to mutualise the costs of compliance through a shared services model. The future resilience of the industry is dependent on collaboration and the sharing of best practices, which underlines Broadridge’s commitment to its role as a hub for cross-market communication and information sharing.

Deeply knowledgeable professional services and technology solutions

Broadridge offers specialised expertise to assess and validate financial organisations’ risk and control frameworks, supporting alignment with new and evolving regulatory requirements and mandatory market changes.

Leveraging its extensive in-depth experience in financial services and advanced analytical tools, Broadridge provides thorough evaluations to identify potential vulnerabilities and optimise risk management practices. Its comprehensive approach includes detailed assessments of your current framework, validation of risk controls, and recommendations for enhancing the robustness and efficiency of operational risk management practices.

Broadridge provides SaaS-based solutions that inherently feature resilience and comprehensive reporting capabilities. Through rigorous risk management protocols, data security, and operational processes, and a 24/7 incident management overseen by a dedicated team spread across multiple geographic location and time zones, Broadridge strives to provide clients with the highest level of protection against adverse market events.

Broadridge has also launched a set of enhanced cyber recovery (Immutability and Repave) solutions to bolster financial organisations’ operational resilience as cyber-attacks become more sophisticated and prevalent. By deploying secure immutable storage, these solutions create unalterable, point-in-time copies of the entire system infrastructure, including the operating system, third-party software, application software, and critical data. In the event of a cyber incident, these secure, cyber-resilient copies can be swiftly restored to enable faster and easier system recovery. As a result, this advanced solution mitigates the impact of a cyber-attack, enhances business continuity against an evolving threat landscape, and helps get ahead of regulator and Board questions on cyber recovery. Broadridge is also engaged with large global firms on collaborative assessments to design firm-specific recovery playbooks that improve preparedness.

Contact our experts to learn how we can support your DORA and operational resilience efforts.