Digital Operational Resilience Act (DORA)

Overview
Key topics
DORA Scope & LSEG's approach
FAQs

DORA is the European Union’s Digital Operational Resilience Act, the final text of which was published in December 2022 by the European Parliament and the Council of the European Union. Financial Entities are increasingly dependent on Information and Communication Technology (ICT) services for their functioning.

DORA prescribes the ways in which EU-regulated Financial Entities are required to manage ICT risks, including certain third-party risks. It also outlines the mechanisms by which regulators, including the European Supervisory Authorities (ESA) and national competent authorities, will monitor Financial Entities.

DORA marks a shift in the previous framework of ICT risk management, from a capital-allocation model to a digital operational resilience model. It is applicable to Financial Entities licensed in the EU as well as ICT service providers of such Financial Entities.

DORA will be effective from 17 January 2025.

Comprehensive ICT risk management framework

DORA requires Financial Entities to have in place a robust and comprehensive ICT risk management, governance, and control framework to mitigate their exposure to ICT risks and cyber incidents.

Digital operational resilience testing

Financial Entities are required to put in place comprehensive digital operational resilience testing programmes according to the requirements set out under DORA. This includes joint threat lead penetration testing (TLPT) with ICT service providers, pooled testing, and mutual recognition of testing results, allowing firms to further streamline their resilience tests and ensure that the ICT services supporting their functions are resilient to risks and cyber incidents.

ICT third-party risk management

DORA defines and strengthens ICT third-party risk management, building on existing outsourcing guidelines by the ESA. This supports Financial Entities in enhancing their management of third-party risks and standardises expectations of ICT third-party providers.

ICT incident reporting

DORA harmonises incident reporting requirements for Financial Entities. This allows them to adopt standardised processes across EU geographies to classify, communicate (to regulators and clients), and report upon potential ICT risks and cyber incidents, as part of a holistic incident management capability.

Information sharing

DORA provides an option to Financial Entities to exchange information about cyber threats, including indicators of compromise, techniques, procedures, configuration tools, cyber security alerts, etc. with their peers. This helps improve risk readiness and operational response capability across the EU financial sector.

Scope
Approach

The scope of DORA is very broad as it applies:

to a wide range of Financial Entities involved in the EU’s financial system. Article 2(1) of DORA lists entities to which DORA applies including but not limited to banks, payment & credit institutions, financial data providers, investment financial entities, crypto asset service providers and more. All such entities have been collectively referred to as Financial Entities under DORA; and
by way of extension beyond Financial Entities to ICT third-party service providers providing ICT services (including ICT services supporting critical or important functions); and
to ICT third-party service providers who may be subject to oversight by the ESA-appointed Lead Overseer if designated as a critical ICT third-party service provider. If an ICT third-party service provider is designated as critical under DORA Article 31, the ESA will appoint a Lead Overseer who will perform regular reviews and assessments of the third-party’s digital operational resilience capabilities and risks.

DORA is a significant step-change for the financial services industry. We will continue to support innovation, resilience, and security in the industry under the EU regulatory framework.

LSEG is committed to assisting our clients with their DORA compliance obligations.

Where LSEG is an ICT service provider, we have built and deployed or adapted existing client portals as follows:

Data & Analytics, FTSE Russell, Risk Intelligence and FX services: the LSEG Operational Resilience Portal, which can be accessed at the following link - https://resiliencehub.lseg.com/
London Stock Exchange plc services: please visit the DORA webpage for the relevant service or contact your account representative
LSEG Regulatory Reporting services: the Regulatory Reporting Customer Portal, which can be accessed at the following link - Login | Regulatory Reporting Support Portal (lseg.com)
TradeAgent and SwapAgent services: the Knowledge Centre, which can be accessed at the following link -https://clearingservices.lch.com
Acadia services: Acadia’s Documentation Portal, which can be accessed at the following link -https://portal.acadiasoft.com

We have also prepared contractual terms between our clients and the relevant LSEG business as follows:

Data & Analytics, FTSE Russell, Risk Intelligence and FX services: LSEG Operational Resilience Annex (LSEG Annex)
London Stock Exchange plc services: LSE Operational Resilience Annex (LSE Annex)
LSEG Regulatory Reporting services: LSEG PTRR Operational Resilience Annex (PTRR Annex)
TradeAgent services: the new Regulation 17 and associated definitions included in Version 2.0 of the TradeAgent General Regulations
SwapAgent services: SwapAgent Rulebook Annex “Operational Resilience”
Acadia service: the existing Master Services Agreement (MSA) between Acadia and the client.

On this webpage, ‘Annex’ refers to the applicable operational resilience annex for each of the services as specified above.

Each Annex and Rulebook update (or, in the case of Acadia, the existing MSA) is written in a manner that allows our clients to comply with the contractual requirements set out in Articles 28 and 30 of DORA.

How does this help?

Each of the client portals (as applicable) will contain, or direct clients to, relevant information and documents as set out in the respective Annex, Rulebook or MSA. This includes service descriptions, service levels, and information relating to incident management, sub-contractors, and service locations.

The client portal for Data & Analytics, FTSE Russell, Risk Intelligence and FX enables clients receiving those services to:

request the LSEG Operational Resilience Annex. We will require a few data points from our clients to initiate the process, which will have to be provided at the time of requesting the Annex on the client portal.
submit requests and access the portal on a self-service basis for documents such as service descriptions, register of information data; Service Level Agreement (SLA) performance information; incident information; and requests relating to TLPT and audit; and
engage with LSEG’s customer assurance team for questions which go beyond the above-mentioned self-service documentation.

The Digital Operational Resilience Act, or "DORA", is an EU regulation on digital operational resilience for the financial sector that comes into force on 17 January 2025. DORA aims to establish a harmonised operational resilience framework across the EU. Amongst other things, DORA requires Financial Entities to ensure their agreements with ICT service providers contain certain contractual requirements. These are predominantly set out in Articles 28 and 30 of DORA. LSEG expects a number of its services will constitute “ICT services” for the purposes of DORA.
DORA applies across the financial services sector in all EU member states, specifically to ICT services used in the EU by Financial Entities. It also introduces a framework for direct oversight of designated ICT service providers by the EU regulatory authorities, even if outside the EU. For LSEG, this means that: (1) a number of LSEG’s regulated EU businesses fall within the direct scope and impact of DORA; and (2) LSEG expects clients of certain LSEG services which are in the scope of DORA as ICT services to request support with their DORA obligations.
LSEG considers resilience as a strategic priority and is putting in enormous effort to enhance its existing processes to align to DORA by 17 January 2025. LSEG has also been engaging with regulators and industry experts through active participation in various DORA-related consultation processes (including in respect of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS)).
Where LSEG entities provide ICT services to clients who are themselves subject to DORA, we have made a number of updates to our operational processes to support such clients’ compliance with DORA, including making available the relevant Annex or updating the existing Rulebook for the benefit of eligible EU clients who require DORA-compliant contractual terms.
Where LSEG is an ICT service provider, the relevant LSEG business has either prepared an Annex or updated its existing Rulebook as detailed above. The relevant Annex and updated Rulebook (or, in the case of Acadia, the existing MSA) contains the contractual provisions that the relevant LSEG business is prepared to offer clients of LSEG ICT services which are in scope for DORA.

The Annex and relevant Rulebook clauses have been drafted following detailed scrutiny of DORA provisions, in particular Articles 28 and 30 of DORA and any relevant RTS. In drafting an Annex and relevant Rulebook clauses, we have taken into account standard market practices followed by other ICT service providers and included industry and client feedback, where applicable and available.
For ICT services relating to LSEG’s Data & Analytics, Risk Intelligence, FTSE Russell and FX businesses, the LSEG Annex can be requested at the self-service client portal https://resiliencehub.lseg.com/. Once the LSEG Annex is signed, the contractual terms for the applicable ICT service(s) will be updated to include the LSEG Annex terms effective from 17 January 2025 or the date when the LSEG Annex is signed by the client, whichever is later. Contact your Account Manager for further information on the Annex Request process and the portal.

For ICT services relating to London Stock Exchange plc’s businesses, the LSEG Annex can be requested at each business division’s self-service DORA webpage, available below. Clients will receive a DORA variation letter for each business division, which will incorporate the LSE Annex. Once signed, the contractual terms for the applicable ICT service(s) will be updated to include the LSE Annex terms effective from 17 January 2025 or the date when the variation letter is signed by the client, whichever is later.

For ICT services provided by LSEG Regulatory Reporting, clients can email their PTRR account representative to request a copy of the PTRR Annex.
Login | Regulatory Reporting Support Portal (lseg.com)

For ICT services provided by TradeAgent, SwapAgent and Acadia, no further action is required as the DORA provisions are contained directly in the relevant Rulebook or MSA and, where they have been inserted as part of a Rulebook amendment, will apply automatically at the expiration of the relevant notice period for amendments.
https://clearingservices.lch.com

For the avoidance of doubt, each of the respective Annexes applies only to the relevant LSEG businesses as stated above and does not apply to ICT services provided by any other LSEG businesses or any other financial services provided by LSEG. If you have questions related to other LSEG businesses or any other financial services provided to you by LSEG, contact your LSEG account representative. https://portal.acadiasoft.com
DORA includes a requirement for Financial Entities to complete a register containing information relating to ICT Services they receive and the third-party providers of such services (“Registers of Information”). Completed Registers of Information are to be submitted to the applicable competent authority for DORA.

Some LSEG Financial Entity clients will therefore want to request LSEG to provide certain information to help them populate these Registers of Information. LSEG clients can make such requests via the client portal for Data & Analytics, FTSE Russell, Risk Intelligence and FX, or by reaching out to their respective LSEG account representative for other LSEG businesses.
We are carefully monitoring and tracking developments relating to the designation of critical ICT third-party service providers to ensure that we satisfy any applicable regulatory requirements relating to any potential designation in a timely manner.

Any information set out herein, including any opinions, (Information) are provided for general purposes only and LSEG does not intend to provide this as financial, tax and accounting, legal or other professional advice. Some Information may contain the opinions of third parties and LSEG is not responsible for such opinions. LSEG is not responsible for any damages resulting from decisions made by any person in reliance to any information. Anyone accessing, using, or otherwise relying on any Information in any respect agrees that it accesses, uses, or otherwise relies on the Information at its own risk in all respects.

Further information about LSEG

Get in touch

If you’d like to know more about how we can help you, please get in touch.

Contact LSEG

LSEG Careers

Create lasting opportunities and fulfil your potential.

Find a role

About LSEG

Discover more about LSEG, our history, and what we do.

About LSEG

Digital Operational Resilience Act (DORA)

What is DORA?

Key topics of DORA

Scope and Approach

DORA Scope

LSEG’s approach as an ICT service provider

FAQs

What is DORA?

To which organisations does DORA apply and what does it mean for LSEG?

What has LSEG been doing in response to DORA and what has been its key focus areas?

When will LSEG initiate the process of supporting its clients’ compliance with DORA?

What is the purpose of an Annex?

How can clients request an Annex?

What are Registers of Information?

How will LSEG address DORA requirements if designated as a critical ICT third-party service provider?

Disclaimer:

Find out more

Get in touch

LSEG Careers

About LSEG