Deadline for DORA – 17 January 2025!

The Digital Operational Resilience Act is an EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025 requiring financial entities in the banking and payments, insurance and investment sectors to manage their information and communication technology (“ICT”) risks strictly and effectively.

DORA applies to certain financial entities and ICT third-party service providers in the UK that work with EU customers or do business with EU financial firms. In scope of businesses falling into these categories will need to establish robust ICT risk management frameworks, manage third party risks, conduct regular digital operational resilience testing, comply with strict incident reporting guidelines and share threat intelligence with other financial service institutions.

Examples of the types of businesses that may be within scope:

  • Banking sector: credit institutions.
  • Payments sector: payment institutions (including those exempted under PSD2), account information service providers (AISPs), electronic money institutions (including those exempted under the second Electronic Money Directive (2009/110) (EMD)).
  • Markets infrastructure: central securities depositories, CCPs, trading venues, trade repositories and data reporting service providers.
  • Investments and funds sector: MiFID investment firms, managers of alternative investment funds (AIFs) and UCITS management companies.
  • Insurance sector: insurance and reinsurance undertakings, and insurance, reinsurance and ancillary insurance intermediaries.
  • Cryptoasset service providers authorised under the EU Regulation on markets in cryptoassets (MiCA) and issuers of asset-referenced tokens.
  • Other financial entities: credit rating agencies, administrators of critical benchmarks, crowdfunding service providers and securitisation repositories.
  • CT third-party service providers – providers of cloud computing services, software, data analytics services. and data centres.

Failure to comply with DORA could result in fines of 1% of your daily turnover (up to 6 months).

If you are unsure whether DORA applies to you, Herrington Carmichael’s expert regulatory team will conduct an analysis on your firm’s business activities and operations to determine whether your business falls within the scope of DORA. The above analysis will include for example:

Assessment of third party service providers used by your business.ts. The maximum penalty that can be given is £10 million or 4% of the relevant company’s worldwide revenue, whichever is greater.

assessing how your business is conducted through subsidiaries, branches or representative offices

review of services offered

Analysis of types of entities covered by DORA and any applicable exceptions.

Analysis of provision or reliance on ICT services

Kindly contact us if you require more information or would like us to assess whether DORA applies to your business and a member of our Regulatory Team will gladly assist.

Brendon Lesar
Paralegal, Commercial
View profileContact Us

This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Latest Legal Insights

Best Law Firms 2024

Herrington Carmichael has once again been named in the Times Best Law Firms. We were first listed in 2023 and have once again made the Best Law Firms list for 2024.  

www.thetimes.co.uk/article/herrington-carmichael

Best Law Firm 2024