Exploring Operational Resilience in Financial Services – the Effects of DORA on Risk and Regulation in Top 3 Financial Markets

In January 2023, the Digital Operations Resilience Act (DORA) came into force as part of a consolidated digital operational framework for companies active in the financial services sector. The effects of this new framework will be felt outside the EU too as businesses operating cross border will have to deal with the challenge of simultaneously complying with regulatory requirements in multiple jurisdictions. The requirements of DORA are added to that list for all market players based outside the EU, but active in one or more EU countries. The same is of course true in reverse, EU market players active in territories outside the EU are now bound by corresponding operational resilience regulations applying in those third countries. This article aims to work out and compare the most essential operational resilience requirements applicable in the top three financial marketplaces of the world (Frankfurt, London and New York), in order to raise cross-border operating companies’ awareness in this respect and outline a general guideline on how to deal with the challenges of DORA, in particular.

I. DORA at a Glance

On 27 December 2022, the Digital Operations Resilience Act (DORA) was officially published in the EU Official Journal. As a part of the EU Digital Finance Package announced in September 2022, DORA is intended to strengthen the digital operational resilience of companies that are active in the financial services sector. It finally came into force as a consolidated digital operational framework on 16 January 2023. As such, DORA establishes a number of obligations aimed at effectively pre- venting and mitigating cyber related threats and establishing a legal framework on operational resilience for numerous market players active in the financial services sector. This includes, amongst others, financial entities specified in Art. 2 (1) DORA such as credit institutions, investment firms, trading venues, insurers, and reinsurers, but crucially also ICT service providers delivering their services to aforementioned companies.

Implementation of the measures set out in DORA must take place by 17 January 2025, at the latest, and will most likely require significant investment by those caught by the regulation. There could be broader implications too, implementation of DORA as the first European sector-specific law imposing mandatory minimum standards on operational resilience has the potential, as in the past, to establish a new market standard in general.

DORA is intended to harmonise the existing patchwork of insufficiently coordinated national legislation across the EU by way of new uniform security requirements for network and IT (Art. 1 (1) DORA). As a regulation, DORA is directly applicable in and across all EU Member States without the need for its transposition into national statutory rules.

The article covers the following topics:

1. Requirements for Financial Institutions
2. Requirements for ICT third party service providers
3. Consequences of Non-Compliance

II . Digital Operational Resilience from a UK Perspective

1. What about Third Parties?
2. OpRes Rules at a Glance

III. Digital Operational Resilience from an US Perspective

1. Regulatory Oversight in the Digital Age
2. What about Third Parties?
3. Digital Operational Resilience under US Regulations at a Glance

IV. Conclusion

The full article was published in the Computer Law Review International magazine and is available through the links below (Paid subscription)

Click here to read the full article (Print ordering option in German)

Click here to read the full article (eJournal as PDF in English)