Ivan Spiteri
Director of Technology Advisory & Assurance
While DORA allows a transition period until until 17th January 2025, compliance can be challenging and time-consuming for these organizations. BDO favours a stepped approach whereby in-scope entities are encouraged to chart a DORA compliance program, starting today.
Compliance will be ensured by the entity’s competent authority
The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities will take the role of compliance oversight and enforce the regulation as necessary.
EU Member States will have the right to impose penalties for breach of obligations
This means significant penalties can be imposed by the Lead Overseer for non-compliance. These significant penalties will take the form of a periodic penalty payment of 1% of the average daily global turnover of the organisation in the preceding business year. This will be applied by the Lead Overseer daily until compliance is achieved for no more than a period of six months.
Requirements of DORA
DORA consists of 58 articles and is structured around five key pillars:.
- ICT Risk Management Requirements (Article 5 to 16)
- ICT-related incidents management, classification and reporting (Articles 17 to 23)
- Digital operational resilience testing (Articles 24 to 27)
- Managing of ICT third-party risk (Article 28 to 44)
- Information sharing arrangements (Art. 45)
