Digital Operational Resilience Act (DORA)

What is DORA?

DORA is the European Union’s Digital Operational Resilience Act, the final text of which was published in December 2022 by the European Parliament and the Council of the European Union.

It prescribes the ways in which firms are required to manage Information and Communication Technology (ICT) risks. It also outlines the mechanisms by which regulators, including the European Supervisory Authorities and national competent authorities, will monitor firms.

It is, broadly speaking, applicable to financial entities licensed in the EU as well as ICT services providers of such financial entities.

DORA will be effective from 17 January 2025.

Key topics

Key topics of DORA

Comprehensive ICT risk management framework

DORA requires firms to have in place a robust and comprehensive ICT Risk Management governance and control framework to mitigate their exposure to ICT risks.​

ICT incident reporting

DORA harmonises incident reporting requirements for EU regulated financial entities, allowing to adopt standardised processes to classify, communicate (to regulators and clients), and report upon as part of a holistic incident management capability, across EU geographies.

Information sharing

Although optional according to the regulation, DORA caters for financial entities to exchange with peers’ information about cyber threats including indicators of compromise, techniques, procedures, configuration tools, cyber security alerts to improve the readiness and response capability across the sector, and EU.

ICT third-party risk management

DORA further defines and strengthens ICT Third-Party Risk Management, building on existing outsourcing guidelines by the European Supervisory Authorities. This supports regulated financial entities in enhancing their management of third-party risk and standardises expectations of ICT third-party providers.

Digital operational resilience testing

EU regulated financial entities are required to put in place comprehensive digital operational resilience testing programmes according to the requirements set out under DORA. This includes joint Threat Lead Penetration Testing (TLPT) with ICT service providers, pooled testing and mutual recognition of testing results, allowing firms to further streamline their resilience tests.

DORA scope

DORA has broad application, and it covers all authorised European Financial Entities including banks, payment institutions, financial data providers, investment financial entities, crypto asset service providers and more.

Additionally, DORA also apply to some ICT Third Party Service Providers who may be subject to oversight by the European Supervisory Authority (ESA) -appointed Lead Overseer if designated as a Critical ICT third-party service provider. If an ICT Service Provider is designated as critical under DORA Article 31, the ESA will appoint a Lead Overseer who will perform regular reviews and assessments of the third-party’s digital operational resilience capabilities and risks.

LSEG’s approach

DORA is a significant step-change for the financial services industry and our customers. We will continue to support innovation, resilience and security in the industry under both EU and UK regulatory frameworks.

LSEG is committed to ensuring compliance with DORA as well as supporting our customers in meeting their compliance with DORA.  LSEG is reviewing its processes, services and contractual commitments in accordance with DORA and this webpage will be updated time to time to reflect our progress.

If you have any questions on DORA, please reach out to your account representative.

FAQs

  • DORA applies across the financial services sector in all EU member states, specifically to ICT services used in the EU by EU-regulated Financial Entities. It also introduces a framework for direct oversight of designated ICT service providers by the EU regulatory authorities, even if outside the EU. For LSEG, this means that a number of our regulated EU businesses fall within the direct scope of DORA, and where LSEG provides ICT services we will be taking steps to support customers who are themselves impacted by DORA.

  • We consider resilience as a strategic priority and are working to enhance existing strong practices to be compliant with DORA by the regulatory timeline of January 2025. We have been carefully reviewing the regulation and have been engaging with regulators and industry experts through active participation in the public consultation process in respect of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS).

  • Our EU regulated financial entities will be compliant with DORA by the regulatory timeline of 17th January 2025. Where LSEG entities provide ICT services to EU regulated financial entities we will be making a number of updates to our operational processes to support our customers compliance with DORA, including making an LSEG Operational Resilience Annex available to customers who required DORA-compliant contractual terms.

  • We will work with our ICT suppliers to ensure contracts are compliant with the requirements of the DORA ahead of the regulatory timeline.

    For LSEG provided ICT services, an LSEG Operational Resilience Annex will be made available to impacted customers who require this for DORA compliance.  We will provide more information in due course.

  • We are working closely with regulators and subject matter experts to understand and define requirements for potential designation as a critical ICT third-party service provider and are defining an approach to ensure we will satisfy regulatory requirements in a timely manner.

    Whilst our current focus is on the finalised requirements of the regulation, we will, in case of designation, seek a transparent and collaborative relationship with the Lead Overseer to understand their expectations around implementation of the requirements in practice. We are also providing feedback on the Level 2 RTS and ITS that are still in draft.

  • Typically, LSEG does not provide outsourced services. The content provided by LSEG are in the nature of services/tools to support the customers’ risk/regulatory requirements. In most cases, LSEG is not providing a process, service, or activity that would otherwise be undertaken by the customer and the customer is responsible for any actions or decisions taken in connection with LSEG services.