Digital operational resilience – act now for DORA and CPS 230 compliance

There is a renewed and critical focus on digital operational resilience in Australia, the EU and beyond. The EU's Digital Operational Resilience for the Financial Sector Regulation 2022/2554 (DORA) predominantly tackles ICT risk management, while APRA's Prudential Standard CPS 230 Operational Risk Management (CPS 230) takes a more expansive approach to operational risk management.

DORA now in force

DORA entered into force on 17 January 2025. It seeks to comprehensively address ICT risk management in the financial services sector. This should improve the previously patchworked approach to regulation across EU member states. DORA has a broad scope and covers almost the entire financial sector – including payments institutions, credit institutions, electronic money institutions, insurance companies, management companies – and ICT service providers.

It also has extraterritorial operation. Australian and other international financial services entities can be subject to DORA if they operate in the EU. Non-EU ICT service providers will also be captured as soon as they enter contractual arrangements with financial services entities covered by DORA. Also, non-EU ICT service providers that are designated by EU supervisory authorities as critical to the operations of EU based financial services entities must establish a subsidiary in the EU within 12 months of the designation. (This does not trigger a requirement that data be processed locally in the EU, but it does mean that EU supervisory authorities can conduct inspections outside of the EU if necessary.)

DORA introduces requirements concerning ICT risk management, incident reporting and notification, digital operational resilience testing, information-sharing arrangements on cyber threat information and intelligence, key principles for the sound management of ICT third party risk, and requirements in relation to contractual arrangements concluded between financial services entities and ICT service providers.

CPS 230 coming soon

CPS 230 will apply in full from 1 July 2025 for most APRA regulated entities. APRA has provided limited relief to non-significant financial institutions, which have until 1 July 2026 to comply with the new business continuity and scenario analysis requirements. There is also a transition period for pre-existing contractual arrangements, with CPS 230 requirements applying from the earlier of their next renewal date or 1 July 2026.

The aim of CPS 230 is to ensure that APRA regulated entities are resilient to operational risks and disruptions. CPS 230 requires these entities to effectively manage their operational risks, maintain their critical operations within tolerance levels during disruptions, and manage the risks arising from service providers. APRA regulated entities must only rely on service providers where they can continue to meet their prudential obligations in full and effectively manage the associated risks. We note that CPS 230 includes a level of proportionality and acknowledges that an entity's approach to operational risk must be appropriate to its size, business mix and complexity.

CPS 230 introduces requirements concerning risk management frameworks, board and senior management roles and responsibilities, operational risk management (eg. maintain appropriate and sound ICT capability to meet its current and projected business needs), business continuity (eg. testing and review), and the management of service provider arrangements (eg. terms to include in formal agreements).