The Digital Operational Resilience Act (DORA) is a new European framework for effective and all-inclusive management of digital risks in Financial Markets.
The framework shifts the focus from only guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations through an incident of severe operational disruption deriving from Cybersecurity and ICT issues.
By introducing a single consistent supervisory approach across the relevant sectors, DORA ensures convergence and harmonization of security and resilience practices across the EU.
DORA will apply to more than 22,000 financial entities and ICT service providers operating within the EU.
The regulation will introduce specific and prescriptive requirements for all financial market participants including e.g. banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers.
DORA introduces an end-to-end holistic framework of effective Risk management, ICT and Cybersecurity operational capabilities, to Third Party management, ensuring a consistent provision of services across the entire value chain.
The regulation is unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).
The EU-wide uniform requirements of DORA mean that financial entities need to ensure they can manage a consistent maturity level of cybersecurity and operational resilience across all their EU operations.
With a two-year “getting ready” period, there is a lot that needs to be considered, implemented, and demonstrated.
Starting right now, financial institutions should conduct comprehensive gap assessments to evaluate their respective maturity vis-à-vis DORA and timely identify any areas that require further investment and prioritization.
This will put your business in a better position to address more complex requirements such as supply risk management, threat intelligence, and advanced security testing, providing you with a competitive advantage on the market.
We see DORA as a significant change for entities within ESMA or EIOPA supervision, but also for banks which have already had to comply with existing EBA guidelines on banking supervision.
DORA also extends its scope to include other stakeholders in the financial sector, who so far have not been subject to extensive ICT security regulation, e.g. crypto-asset service providers, intermediaries managers of alternative investment funds, crowdfunding service providers, cloud-service providers and ICT third-party service providers.
Given the strong focus on third party risk management, entities are expected to satisfy themselves of a third party’s resilience which will require close interaction and joint efforts with their critical ICT third-party service providers, especially where they support the delivery of an important business service.
DORA has entered into force at the beginning of 2023. With an implementation period of two years, financial entities will be expected to be compliant with the regulation latest by early 2025.
Financial entities are required to set up a comprehensive ICT risk management framework, including:
Set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.
Identify, classify and document critical functions and assets
Continuously monitor all sources of ICT risks in order to set-up protection and prevention measures
Establish prompt detection of anomalous activities
Put in place dedicated and comprehensive business continuity policies and disaster and recovery plans, incl. yearly testing of the plans, covering all supporting functions
Establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents
Financial entities are required to:
Develop a streamlined process to log/classify all ICT incidents and determine major incidents according to the criteria detailed in the regulation and further specified by the European Supervisory Authorities (EBA, EIOPA and ESMA)
Submit an initial, intermediate and final report on ICT-related incidents
Harmonize the reporting of ICT-related incidents through standard templates as developed by the ESAs
The regulation requires all entities to:
Annually perform basic ICT testing of ICT tools and systems
Financial entities are required to:
Ensure sound monitoring of risks emanating from the reliance on ICT third-party providers
Report their complete register of outsourced activities, incl. intra-group services and any changes to the outsourcing of critical services to ICT third party service providers
Take account of IT concentrating risk and risks arising from sub-outsourcing activities
Harmonize key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring
Ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details such as a full-service level description, indication of locations where data is being processed, etc
Critical ICT third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified ICT risks. Financial entities must consider the ICT third-party risks of their service provider who do not follow the defined recommendation
The regulation allows financial entities to set-up arrangements amongst themselves to exchange cyber threat information and intelligence.
The supervisory authority will provide relevant anonymized information and intelligence on cyber threats to financial entities. Therefore, entities should implement mechanisms to review and take action on the information shared by the authorities.
Given the broad scope of DORA, it is likely that it addresses many topics that have already been considered by existing regulations in the E.U.
Nevertheless, certain topics such as threat intelligence and threat-led penetration testing are of a new character and therefore require heightened attention. Further, the ability to develop an overarching visibility and understanding of all the key dependencies between your entity and your critical ICT service providers is another challenge we see.
Our recommendation for all entities in scope is therefore regardless of where you are in terms of the maturity of your digital and operational resilience, DORA should be a trigger for either starting or enhancing your resilience journey. An initial GAP analysis and maturity assessment is a great starting point.
Generally, entities that are applying the current regulatory requirements in line with current audit practices may be better positioned to implement the majority of the DORA requirements. Yet, having supported numerous clients with their cybersecurity and resilience efforts, our message is: do not be complacent. There is no such thing as “too resilient” or “too secure”.