Digital Operational Resilience Act (DORA)

Overview
Key topics
DORA Scope & LSEG's approach
FAQs

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) ('DORA') is a regulatory framework established by the European Union (‘EU’) that became effective on 17 January 2025. DORA is aimed at fortifying the operational resilience of the financial services sector amidst the rapidly evolving landscape of Information and Communication Technology (‘ICT’) risks.

Financial Entities are increasingly dependent on ICT services for their functioning. DORA prescribes ways in which EU-regulated Financial Entities (‘Financial Entities’) are required to test their operational resilience, cyber resilience, and manage ICT risks, including certain third-party risks. It also outlines the mechanisms by which regulators, including the European Supervisory Authorities (‘ESA’) and national competent authorities, will monitor Financial Entities.

DORA aims to provide a harmonized approach to achieving “a high level of digital operational resilience” of the financial services industry by ensuring that Financial Entities can withstand and adapt to a wide range of threats and disruptions, including cyber-attacks, IT failures, and other operational risks.

Comprehensive ICT risk management framework

DORA requires Financial Entities to have in place a robust and comprehensive ICT risk management, governance, and control framework to mitigate their exposure to ICT risks and cyber incidents.

Digital operational resilience testing

Financial Entities are required to put in place comprehensive digital operational resilience testing programmes according to the requirements set out under DORA. This includes joint threat lead penetration testing (‘TLPT’) with ICT service providers, pooled testing, and mutual recognition of testing results, allowing firms to further streamline their resilience tests and ensure that the ICT services supporting their functions are resilient to risks and cyber incidents.

ICT third-party risk management

DORA defines and strengthens ICT third-party risk management, building on existing outsourcing guidelines by the ESA. This supports Financial Entities in enhancing their management of third-party risks and standardises expectations of ICT third-party providers.

ICT incident reporting

DORA harmonises incident reporting requirements for Financial Entities. This allows them to adopt standardised processes across EU geographies to classify, communicate (to regulators and clients), and report upon potential ICT risks and cyber incidents, as part of a holistic incident management capability.

Information sharing

DORA provides an option to Financial Entities to exchange information about cyber threats, including indicators of compromise, techniques, procedures, configuration tools, cyber security alerts, etc., with their peers. This helps improve risk readiness and operational response capability across the EU financial sector.

Scope
Approach

The scope of DORA is very broad as it applies:

DORA applies to a wide range of Financial Entities involved in the EU’s financial system. Article 2(1) of DORA lists entities to which DORA applies, including but not limited to banks, payment and credit institutions, financial data providers, investment financial entities, crypto asset service providers and more. All such entities have been collectively referred to as Financial Entities under DORA; and
by way of extension beyond Financial Entities to ICT third-party service providers providing ICT services (including ICT services supporting critical or important functions). If an ICT third-party service provider is designated as critical under DORA Article 31, the ESA will appoint a Lead Overseer who will perform regular reviews and assessments of the third-party’s digital operational resilience capabilities and risks.

LSEG complies with all laws and regulations applicable to it in the provision of its services and is committed to assisting its clients with their DORA compliance obligations for the ICT services provided by LSEG. Please contact your account representative for more information in this regard. Where LSEG is an ICT service provider, we have built and deployed or adapted existing client portals as follows:

LSEG Data & Analytics, LSEG Risk Intelligence and FX services: The LSEG Operational Resilience Portal can be accessed at the following link - https://resiliencehub.lseg.com/
London Stock Exchange plc services: Please visit the DORA webpage for the relevant service or contact your account representative
LSEG Regulatory Reporting services: The Regulatory Reporting Customer Portal can be accessed at the following link - Login | Regulatory Reporting Support Portal (lseg.com)
TradeAgent and SwapAgent services: The Knowledge Centre can be accessed at the following link -https://clearingservices.lch.com
Acadia services: Acadia’s Documentation Portal can be accessed at the following link -https://portal.acadiasoft.com

We have also prepared contractual terms between our clients and the relevant LSEG business as follows:

LSEG Data & Analytics, LSEG Risk Intelligence and FX services: LSEG Operational Resilience Annex (‘LSEG Annex’)
London Stock Exchange plc services (Corporate Actions, SEDOL, and TRADEcho's Quoting Service): LSE Operational Resilience Annex (‘LSE Annex’)
LSEG Regulatory Reporting services: LSEG PTRR Operational Resilience Annex (‘PTRR Annex’)
TradeAgent services: the new Regulation 17 and associated definitions included from Version 2.0 of the TradeAgent General Regulations
SwapAgent services: SwapAgent Rulebook Annex “Operational Resilience”
Acadia service: the existing Master Services Agreement (MSA) between Acadia and the client.

In the current context, ‘Annex’ refers to the applicable operational resilience contractual terms for the relevant LSEG business as specified above.

Each Annex, Rulebook update (or, in the case of Acadia, the existing MSA) is written in a manner that allows our clients to comply with the contractual requirements set out in Articles 28 and 30 of DORA.

How does LSEG’s approach to DORA help clients?

The client portals (as applicable) contain or direct clients to relevant information and documents as set out in the respective Annex, Rulebook or MSA. This includes service descriptions, service levels, and information relating to incident management, sub-contractors, and service locations, as may be applicable to the provision of the ICT service(s) availed by the client.

The client portal for Data & Analytics, Risk Intelligence and FX enables clients receiving those services to:

request the LSEG Annex. We will require a few data points from our clients to initiate the LSEG Annex request process. Such data points will have to be provided to us by the client at the time of requesting the LSEG Annex on the client portal;
submit requests and access the client portal on a self-service basis for applicable documents such as service descriptions, register of information data, Service Level Agreements (‘SLA’) performance information (as applicable), incident information, and requests relating to TLPT and audit; and
engage with LSEG’s Customer Assurance team for questions which go beyond the above-mentioned self-service documentation.

The Digital Operational Resilience Act, or "DORA", is an EU regulation on digital operational resilience for the financial sector that came into force on 17 January 2025. DORA aims to establish a harmonised operational resilience framework across the EU. Amongst other things, DORA requires Financial Entities to ensure their agreements with ICT service providers contain certain contractual requirements. These are predominantly set out in Articles 28 and 30 of DORA. LSEG expects a number of its services will constitute “ICT services” for the purposes of DORA.
DORA applies across the financial services sector in all EU member states, specifically to ICT services used in the EU by Financial Entities. It also introduces a framework for direct oversight of designated ICT service providers by EU regulatory authorities, even if they are located outside the EU. For LSEG, this means that: (1) a number of LSEG’s regulated EU businesses fall within the direct scope and impact of DORA; and (2) LSEG expects clients of certain LSEG services which are in the scope of DORA as ICT services to request support with their DORA obligations.
Where LSEG is an ICT service provider, the relevant LSEG business has prepared an Annex or updated its existing Rulebook (or in case of Acadia, the existing MSA). The relevant LSEG business Annex or updated Rulebook or MSA contains the contractual provisions that the relevant LSEG business is prepared to offer clients of LSEG ICT services which are in scope of DORA. The Annex, relevant Rulebook clauses, and MSA have been drafted following detailed scrutiny of DORA provisions, in particular Articles 28 and 30 of DORA and any relevant Regulatory Technical Standards. In drafting the Annex and relevant Rulebook clauses, and MSA, LSEG has taken into account standard market practices followed by other ICT service providers as well as industry and client feedback, where applicable and available.
For ICT services relating to LSEG Data & Analytics, LSEG Risk Intelligence, and FX businesses, the LSEG Annex can be requested at the self-service client portal https://resiliencehub.lseg.com/. Once the LSEG Annex is signed, the contractual terms for the applicable ICT service(s) are updated to include the LSEG Annex terms. Contact your Account Manager for further information on the LSEG Annex request process and the client portal.

For ICT services relating to London Stock Exchange plc’s businesses, the LSE Annex can be requested at each business division’s self-service DORA webpage, available below. Clients will receive a DORA variation letter for each business division, which will incorporate the LSE Annex. Once signed, the contractual terms for the applicable ICT service(s) will be updated to include the LSE Annex terms.

For ICT services provided by LSEG Regulatory Reporting Limited, clients can email their PTRR account manager to request a copy of the PTRR Annex.

For ICT services provided by TradeAgent, SwapAgent and Acadia, no further action is required as the DORA provisions are contained directly in the relevant Rulebook or MSA and, where they have been inserted as part of a Rulebook amendment, will apply automatically at the expiration of the relevant notice period for amendments.

For the avoidance of doubt, each of the respective Annexes applies only to the relevant LSEG businesses as stated above and does not apply to ICT services provided by any other LSEG businesses or any other financial services provided by LSEG. If you have questions related to other LSEG businesses or any other financial services provided to you by LSEG, please contact your LSEG account representative.
DORA includes a requirement for Financial Entities to complete a register containing information relating to ICT Services they receive and the third-party providers of such services (‘Registers of Information’). Completed Registers of Information are to be submitted to the applicable competent authority for DORA. LSEG Financial Entity clients who wish to make a request to LSEG to provide information to help them populate these Registers of Information can do so via the client portal for LSEG Data & Analytics, LSEG Risk Intelligence and FX, or by reaching out to their respective LSEG account representative for other LSEG businesses.
We are carefully monitoring and tracking developments relating to the designation of critical ICT third-party service providers to ensure that we satisfy any applicable regulatory requirements relating to any potential designation in a timely manner.
An ICT service is a service which is provided on an ongoing basis through a technology system to one or more internal or external users, which may include hardware services, technical support, cloud computing, software or data analytics services. A financial service that is regulated under EU or a third country legislation should not be considered an ICT service [as confirmed by European Commission Q&A 2999]. LSEG provides a number of services which may constitute ICT services for the purposes of DORA. Details of LSEG’s ICT Services covered by the LSEG Annex can be found on the Client Portal - https://resiliencehub.lseg.com/

In the recent guidance 2999-DORA 030 issued by European Insurance and Occupational Pensions Authority, the European Commission clarified that (i) where a service constitutes an ICT service under DORA, and (ii) the service provider and the financial service it provides are regulated under Union law, or any national legislation of a Member State or of a third country, the related ICT service should be considered to be predominantly a financial service and should not be treated as an ICT service within the meaning of DORA Article 3(21).

The European Commission further clarified that ancillary services that are inseparable from, indivisible from, preparatory for or necessary for the provision of a regulated financial service, and are not provided in a standalone manner, should not be treated as an ICT service under DORA. In line with such clarification, LSEG considers its regulated financial services and certain services provided by regulated LSEG businesses to be financial services, or services ancillary to financial services, and not ICT services under DORA. To find out which LSEG services are ICT services, please reach out to your account manager for the relevant LSEG business.

Any information set out herein is provided for general purposes only and LSEG does not intend to provide this as financial, tax and accounting, legal or other professional advice. Some information may contain opinions, including those of third parties, and LSEG is not responsible for such opinions. LSEG is not responsible for any damages resulting from decisions made by any person in reliance of any information stated above. Anyone accessing, using, or otherwise relying on any information in any respect agrees that they access, use, or otherwise rely on the information at their own risk in all respects.

Further information about LSEG

Get in touch

If you’d like to know more about how we can help you, please get in touch.

Contact LSEG

LSEG Careers

Create lasting opportunities and fulfil your potential.

Find a role

About LSEG

Discover more about LSEG, our history, and what we do.

About LSEG

Digital Operational Resilience Act (DORA)

What is DORA?

Key topics of DORA

Scope and Approach

DORA Scope

LSEG’s approach as an ICT service provider

FAQs

What is DORA?

To which organisations does DORA apply and what does it mean for LSEG?

What is the purpose of an Annex?

How can clients request an Annex?

What are Registers of Information?

How will LSEG address DORA requirements if designated as a critical ICT third-party service provider?

What is an ICT service?

Clarificatory Statement in relation to ICT Services vs Regulated Financial Services and ancillary services

Disclaimer:

Find out more

Get in touch

LSEG Careers

About LSEG