DORA vs MAS and HKMA: How Asian Financial Hubs Compare on Operational Resilience
Three Hubs, One Problem
The world's major financial hubs face the same fundamental challenge: financial services have become digital services, and digital services are vulnerable to disruptions that can cascade through interconnected systems, affect millions of customers, and threaten market stability. The regulatory response to this challenge has been remarkably parallel — but not identical.
The European Union enacted DORA (Regulation 2022/2554), a binding regulation that applies directly across 27 member states with specific articles, timelines, and enforcement mechanisms. Singapore's Monetary Authority of Singapore (MAS) issued Technology Risk Management (TRM) Guidelines and Business Continuity Management (BCM) Guidelines that set supervisory expectations through a guidelines-based approach. Hong Kong's HKMA published its Operational Resilience Framework (OR-2) and Enhanced Competency Framework for operational risk and technology risk.
For global financial institutions operating across all three jurisdictions — and there are many — understanding the convergences and divergences between these frameworks is essential for building a unified compliance approach that satisfies all three regulators without tripling the effort.
Structural Comparison
The most fundamental difference is legal structure:
| Dimension | DORA (EU) | MAS TRM/BCM (Singapore) | HKMA OR Framework (Hong Kong) |
|---|---|---|---|
| Legal form | Binding regulation (directly applicable) | Guidelines (supervisory expectations) | Supervisory policy manual module |
| Scope | 21 categories of financial entities | All MAS-regulated financial institutions | All authorized institutions (AIs) |
| Enforcement | NCA supervision + ESA coordination + penalties | MAS supervisory action (enforcement notices, conditions) | HKMA supervisory action (conditions on license) |
| Proportionality | Explicit (Art. 4) | Implicit (risk-based expectations) | Implicit (proportionate to nature, scale, complexity) |
| Effective date | January 17, 2025 | Ongoing (revised periodically, latest 2021) | 2022 framework, phased implementation |
Scope Differences
DORA's scope is the broadest of the three frameworks, covering 21 categories of financial entities including banks, insurers, investment firms, payment institutions, crypto-asset service providers, crowdfunding platforms, and trade repositories. MAS TRM applies to all MAS-regulated institutions but with differentiated expectations by institution type. HKMA OR focuses specifically on authorized institutions (banks).
Pillar-by-Pillar Comparison
ICT Risk Management Framework
| Aspect | DORA | MAS TRM | HKMA OR |
|---|---|---|---|
| Board accountability | Art. 5(2): management body must approve and oversee ICT risk framework | TRM 3.0: board and senior management responsible for technology risk governance | OR-2: board oversight of operational resilience framework |
| ICT asset register | Art. 8: mandatory register, updated annually minimum | TRM 4.0: technology asset inventory expected | Implied through risk management requirements |
| Risk assessment | Art. 6: continuous risk identification and assessment | TRM 4.1: regular risk assessments | Risk management module: periodic assessments |
| Board reporting | Art. 14: annual minimum, specific content requirements | TRM 3.0: regular reporting to board | OR-2: periodic reporting to board and senior management |
DORA is the most prescriptive, specifying exact requirements for the ICT asset register (Art. 8) and board reporting (Art. 14). MAS TRM is principle-based but expects comparable outcomes. HKMA is the most flexible, relying on the institution's own risk management framework with supervisory assessment of adequacy.
Third-Party Risk Management
This is where the frameworks diverge most significantly:
| Aspect | DORA | MAS TRM / Outsourcing Guidelines | HKMA Outsourcing SPM |
|---|---|---|---|
| Contractual provisions | Art. 30: specific mandatory provisions listed | Guidelines on Outsourcing: key principles for outsourcing agreements | SA-2: general principles for outsourcing arrangements |
| Register of information | Art. 28(3): mandatory register, specific format | Not a formal register requirement | Not a formal register requirement |
| Exit strategies | Art. 28(8): mandatory exit plans | Encouraged but not as specific | General contingency planning expected |
| Sub-outsourcing | Art. 30(2)(g): notification and objection rights | Guidelines address sub-outsourcing transparency | SA-2 addresses sub-contracting notification |
| Concentration risk | Art. 29: explicit assessment mandate | Addressed in cloud outsourcing guidance | Addressed through dependency risk assessment |
| CTPP oversight | Art. 31-44: Lead Overseer framework | MAS direct supervisory engagement with critical providers | HKMA engagement through supervisory dialogue |
DORA's Art. 31-44 Lead Overseer framework for critical third-party providers is unique — neither MAS nor HKMA has an equivalent direct oversight mechanism for technology providers. MAS relies on its outsourcing guidelines and direct engagement with significant service providers. HKMA addresses third-party risk through its outsourcing supervisory policy module.
For institutions operating across all three jurisdictions, DORA's Art. 30 contractual requirements are the most demanding and can serve as the baseline for contracts that also satisfy MAS and HKMA expectations.
Incident Reporting
| Reporting element | DORA | MAS | HKMA |
|---|---|---|---|
| Initial notification | 4 hours from classification | 1 hour from discovery (critical) | As soon as practicable |
| Interim report | 72 hours | Not formally required | Not formally required |
| Final report | 1 month | 14 days (root cause analysis) | Post-incident review |
| Classification framework | Art. 18: specific criteria | MAS Technology Risk Incident Notification | Risk-based assessment |
| Cross-border coordination | Art. 19(6): NCA coordination | MAS bilateral coordination | HKMA bilateral coordination |
MAS requires the fastest initial notification (1 hour) but a shorter final reporting window (14 days vs. 1 month). DORA is the most structured with its three-phase approach. HKMA is the most flexible, relying on "as soon as practicable" which provides supervisory discretion.
Resilience Testing
| Testing element | DORA | MAS TRM | HKMA |
|---|---|---|---|
| Basic testing | Art. 24-25: annual testing programme | TRM 6.0: regular testing expected | Periodic testing expected |
| Advanced testing (TLPT) | Art. 26-27: mandatory for significant entities, 3-year cycle | Red team testing expected for significant institutions | Cyber resilience assessment (iCAST) |
| Testing scope | All critical functions and supporting ICT systems | Technology infrastructure and applications | Critical business services |
| Evidence requirements | Art. 24(6): documentation and reporting | Testing reports expected | Assessment reports expected |
Hong Kong's intelligence-led Cyber Attack Simulation Testing (iCAST) framework is the closest Asian equivalent to DORA's TLPT. Singapore's MAS has issued cyber-specific testing expectations that align with the TIBER-EU framework that DORA's TLPT builds upon.
Convergence and Divergence
Where the frameworks converge
All three frameworks agree on the fundamentals:
- Board and senior management accountability for operational resilience
- Regular risk assessment and testing
- Third-party risk management with contractual safeguards
- Incident reporting to the supervisor
- Business continuity and disaster recovery
- Proportionate application based on institutional risk profile
Where the frameworks diverge
The divergences are primarily in specificity and enforcement mechanism:
DORA is the most prescriptive. Specific articles, specific timelines, specific contractual provisions, specific reporting formats. This creates clarity but reduces flexibility.
MAS is the most pragmatic. Guidelines-based approach with supervisory expectations that can be adapted to Singapore's concentrated market. The small number of major institutions in Singapore allows for more direct supervisory engagement.
HKMA is the most principles-based. Relies heavily on the institution's own risk management framework, with HKMA assessing adequacy through supervisory dialogue and examination. Less prescriptive than DORA, more flexible than MAS.
Building a Unified Compliance Framework
For institutions operating in all three jurisdictions, the efficient approach is to build on the most demanding framework and demonstrate compliance with the others through mapping:
Using DORA as baseline, supplement for:
- MAS: Faster incident notification (1 hour vs. 4 hours), MAS-specific outsourcing notification requirements, Singapore-specific data localization expectations
- HKMA: iCAST testing methodology (may differ from TIBER-EU/TLPT), HKMA-specific supervisory expectations for authorized institutions, Hong Kong data privacy requirements
This approach avoids building three parallel frameworks while ensuring each jurisdiction's requirements are met.
Strategic Implications for Global Institutions
Regulatory convergence is accelerating. The EBA, MAS, and HKMA all participate in international forums (FSB, BCBS, CPMI-IOSCO) where operational resilience standards are being harmonized. The frameworks will converge further over time.
DORA is setting the global benchmark. Due to its specificity and the EU's market weight, DORA is becoming the reference framework against which other jurisdictions calibrate their own requirements. MAS and HKMA are likely to evolve toward greater specificity, not less.
Cross-border incident coordination is immature. While each framework addresses incident reporting to the local supervisor, the mechanisms for coordinating incident response across EU, Singapore, and Hong Kong are still developing. Institutions must build their own cross-border incident coordination capabilities.
Use the DORA readiness assessment to evaluate your compliance posture, review the pillars overview for a structured DORA requirements map, and consult the glossary for terminology that may differ across jurisdictions. The RTS/ITS reference provides the EU-specific technical standards.
Conclusion
DORA, MAS TRM, and HKMA OR are three expressions of the same regulatory imperative: financial institutions must be able to withstand and recover from ICT disruptions. The convergences are more significant than the divergences — and the divergences are primarily in the level of prescriptiveness, not in the substance of the requirements. Institutions that build on DORA as the most demanding framework and map to MAS and HKMA requirements will achieve compliance across all three jurisdictions efficiently. The alternative — three parallel frameworks — is neither sustainable nor necessary.
Resume en francais
Le DORA europeen, les directives MAS de Singapour sur la gestion des risques technologiques et le cadre de resilience operationnelle HKMA de Hong Kong representent trois approches reglementaires distinctes du meme probleme. Cet article propose une analyse comparative pilier par pilier : cadre de gestion des risques TIC (DORA le plus prescriptif, MAS base sur les principes, HKMA le plus flexible), gestion des risques tiers (DORA avec son cadre unique de Superviseur Principal pour les fournisseurs critiques), signalement des incidents (MAS le plus rapide a 1 heure, DORA le plus structure en trois phases, HKMA le plus flexible), et tests de resilience (TLPT DORA, red team MAS, iCAST HKMA). L'article recommande une approche de cadre unifie utilisant DORA comme base (le plus exigeant) avec des supplements specifiques pour MAS et HKMA, plutot que trois cadres paralleles. Les convergences entre les trois cadres sont plus significatives que les divergences, et DORA est en train de devenir la reference mondiale.