The Ultimate DORA Compliance Checklist for Brokers

The Digital Operational Resilience Act (DORA) came into full force in the EU on January 17, 2025. The new law aims to strengthen the financial ecosystem in the bloc against IT failures and cyber threats. DORA does this by providing a framework for cross-sectoral digital operational resilience, applicable to all regulated financial firms operating in the EU. Before this, financial firms dealt with risks by setting aside funds to take care of incidence-related losses. But this method failed to address issues like system failures, cyberattacks and associated disruptions.

Under DORA, financial services providers must follow stringent measures to detect, prevent, respond to and recover from cyber threats and IT incidents. The new framework also fosters cooperation within the sector by promoting information sharing on existing and emerging cyber and ICT risks. The aim is to strengthen collective resilience. Through DORA, the European Union establishes that financial stability goes beyond capital reserves to building the capacity to withstand and recover quickly from disruptions.

The Five Pillars of DORA

The five pillars on which the new law stands are designed to create a more secure and resilient financial ecosystem.

1. ICT Risk Management

This pillar requires financial entities to establish a governance and internal control framework for ICT risks, including identifying, assessing and mitigating those risks. DORA requires financial firms to shoulder greater accountability and take a more careful approach to cybersecurity. The law provides a comprehensive framework for risk management that includes defining risk tolerance and appetite, critical functions and ICT assets. It also provides guidelines for the detection, prevention and incidence response and recovery plans.

2. Incident Management and Reporting

This pillar emphasises the importance of having a structured approach to identifying, responding to, and recovering from IT disruptions or security threats, including reporting requirements for major incidents. The regulation provides clear procedures for managing and reporting ICT incidents, standardised across the EU. This ensures better coordination among authorities, leading to improved incidence response. DORA also establishes specific criteria for classifying such incidents and logging them.

3. Digital Operational Resilience Testing

This pillar focuses on testing the resilience of technology through various methods, such as threat-led penetration testing, to ensure that financial firms can withstand cyberattacks and other disruptions. DORA makes it mandatory to regularly test ICT processes and systems to evaluate their resilience and identify vulnerabilities. EU-based firms are also required to conduct broad-based live threat penetration testing every three years. A compliance certificate will be provided on completion of the testing. Third-party vendors are also required to participate in such testing.

4. Third-Party Risk Management

This pillar addresses how financial entities should manage the risks associated with external service providers, including technology suppliers, outsourcing partners, and other critical vendors. DORA mandates the compilation and maintenance of a register of all third-party ICT providers, services offered by each and functions supported. Any changes to this register must be reported to the regulatory authorities annually, while following the contract content guidelines and establishing exit strategies.

5. Information Sharing

This pillar encourages the sharing of information and intelligence about cyber threats and incidents to help the entire financial system stay safe and resilient. The regulatory framework also outlines secure information exchange mechanisms for cyber threats, as well as confidentiality guidelines and obligations to notify the regulator.

How Brokers Can Comply With DORA

Here’s a breakdown of the steps brokers and other financial services providers must take to ensure compliance with DORA.

Determining Scope and Requirements

Determine which parts of DORA apply to your organisation and third-party providers. Follow this up with a comparison of your current ICT systems and processes to DORA’s requirements to identify gaps. Relook at your ICT risk management strategy, your vendors and existing contracts for a better understanding. Use this information to develop a plan to address the identified gaps and achieve compliance. You will need to comply with the regulation if you provide services in the EU, even if your organisation isn’t based in the bloc.

ICT Risk Management Planning

Establish a robust ICT risk management framework, based on your gap analysis and integrate it into your overall risk management strategy. Also, create an action plan for regular risk assessments to identify, evaluate and mitigate ICT risks, prioritising actions depending on your risk assessment. Define policies, procedures and standards for managing ICT risks. Finally, ensure continuous monitoring of ICT systems and services.  Article 5 of DORA mandates a strong ICT risk management framework to protect your technology, business and customers.

ICT Incident Reporting and Management

Develop a clear process for managing ICT incidents, including detection, escalation, reporting and response procedures. Also, establish procedures for reporting incidents to the relevant authorities and stakeholders, and track and categorise incidents. Make sure you conduct thorough analyses of incident causes to prevent recurrence. Articles 17 and 18 provide guidelines on actions to take before, during, and after an incident. You will also need to classify the incident as “minor” or “major,” depending on the impact. All major incidents must be reported to the authorities.

ICT Resilience Testing

Conduct regular testing of ICT systems, including vulnerability assessments, penetration tests and scenario-based tests. Implement Threat-Led Penetration Testing (TLPT), using approved frameworks and conduct tests on live production systems regularly. Define Recovery Time Objectives (RTOs) for essential systems and ensure their ability to recover from disruptions. Articles 25-27 of DORA mandate vulnerability assessments every quarter, along with annual penetration testing and TLPT every three years. Make sure to document all your actions so that compliance and improvement can be demonstrated under DORA.

Third-Party Risk Management

Develop a framework to assess and manage risks associated with third-party ICT service providers. Conduct thorough due diligence on third-party providers, including contractual agreements and compliance requirements. Additionally, monitor third-party providers continuously to ensure they are meeting their obligations. Begin with identifying and classifying ICT providers that are critical to your operations. Make sure their contracts outline obligations and contingency plans, in case the provider fails to deliver. Also include service levels, data protection and exit clauses. Finally, schedule regular reviews to identify issues early.

Information Sharing and Collaboration

Participate in information-sharing arrangements to stay informed about emerging threats and best practices. Also, engage with cyber threat intelligence forums to learn from other industries. DORA compliance includes working with regulators by connecting with National and European Supervisory Authorities, such as the EBA, ESMA and EIOPA. This facilitates information sharing, report submissions and addressing issues as they develop.

Documentation and Training

Maintain thorough records of all compliance activities, including risk assessments, incident reports and testing results. To ensure organisation-wide compliance, run regular cybersecurity training and awareness programmes for all employees. Also, define roles and responsibilities to establish a clear governance framework under DORA. Key roles to define include the Chief Information Security Officer (CISO), Data Protection Officer (DPO) and Compliance Officer.

Ease Compliance with the Right Partner

Failure to comply with the Digital Operational Resilience Act could lead to severe consequences, with organisations potentially facing penalties of 2% of their total global annual turnover or €10 million, whichever is higher. Third-party providers could face fines of up to 1% of their average daily turnover globally for each day of non-compliance, up to a maximum of 6 months. DORA also establishes individual accountability for organizational leaders, with non-compliance leading to potential penalties of up to €1 million.  

You need a multi-regulated, multi-asset liquidity and technology provider to ensure compliance in the EU and beyond. X Open Hub takes pride in adhering to the highest standards of corporate governance, financial reporting and regulatory compliance. We are licensed by tier-1 regulators across the world, including the UK FCA, KNF, CySEC, DFSA, FSCA, FSC, and more. Our licenses are passported to 25+ EU countries, easing compliance for our broker partners throughout the bloc.

Speak to our team today to learn how we can support you for DORA compliance and seamless expansion across the EU.

EU DORA Regulation – Official EU Website