With the Digital Operational Resilience Act (DORA) coming into effect on the 17th of January, 2025, it is important that financial institutions are prepared. In this article, we will shed light on what DORA is and how your company can prepare for it.
What is the Digital Operational Resilience Act?
The Digital Operational Resilience Act is an EU regulation that addresses a significant gap in EU’s financial regulations. With DORA, institutions are required to adhere to specific protocols for safeguarding against, detecting, containing, recovering from, and rectifying incidents related to Information/Communication Technology (ICT).
DORA explicitly addresses ICT risk, establishing guidelines for risk management, incident reporting, operational resilience testing, and monitoring of ICT third-party risks. This regulation recognizes that ICT incidents and operational vulnerabilities can potentially undermine the stability of the entire financial system, even when there’s „sufficient” capital allocated for conventional risk categories.
What is the Driving Force Behind DORA?
DORA arises from the absence of a unified framework for managing and mitigating ICT risk across the European financial sector. The regulatory act seeks to fill this gap by harmonising risk management rules throughout the EU, ensuring consistent high standards across all financial institutions. Compliance with DORA is intended to simplify regulatory complexities caused by disparities between regulations in various member states. By doing so, it aims to streamline compliance for financial entities and bolster the resilience of the entire EU financial system.
The 5 Technical Requirements of DORA
ICT risk management and governance:
This entails devising strategies, evaluating, and implementing controls. Accountability permeates all levels, necessitating entities to prepare for potential disruptions. Plans encompass data recovery, communication strategies, and measures for diverse cyber risk scenarios.
Incident reporting:
Entities are mandated to establish systems for monitoring, managing, and reporting ICT incidents. Depending on severity, reports to regulators and affected parties may be required, encompassing initial, progress, and root cause analyses.
Digital operational resilience:
Entities are obligated to regularly assess their ICT systems to evaluate protections and identify vulnerabilities. Results are reported to competent authorities, with basic tests conducted annually and threat-led penetration testing (TLPT) every three years.
Third-party risk management:
Financial institutions must actively manage ICT risk with vendors and partners by implementing know your third party processes, negotiating exit strategies, audits, and performance targets. Compliance oversight is enforced by competent authorities, with exploration underway for standardised contractual clauses.
Information sharing:
DORA encourages financial entities to establish incident learning processes, including participation in voluntary threat intelligence sharing. Shared information must adhere to relevant guidelines, safeguarding personally identifiable information (PII), including that gathered during identity verification, under the EU’s General Data Protection Regulation (GDPR).
How to Prepare for DORA
According to the regulation, in order to comply, companies must adhere to five main rules:
- Every organisation must establish an ICT Risk Management Framework.
- Every organisation must implement an incident response process.
- Security testing is mandatory and its frequency must increase.
- Third-party risks associated with suppliers must be thoroughly assessed.
- Mandatory sharing of threat intelligence will be enforced.
This means that before the 17th of January 2025, your company has to:
Establish a risk management framework, ensuring all ICT-related risk is assessed and reacted to accordingly. This will include protocols for data recovery, communication and cyber-attacks.
Conduct a gap assessment in your existing processes, ensuring the new regulation is covered and testing protocols are in place.
Review your incident reporting process to create steps for fast and accurate reports. As well as establish steps for sharing this information with regulators and affected parties.
Either develop or enhance the testing plan, allowing for more frequent security checks. Additionally, creating plans for upcoming years would allow for more effective processes.
Last Thoughts
DORA serves as a timely response to the evolving challenges posed by digitalisation and cyber threats in the financial sector. By prioritising operational resilience and risk management, DORA sets a precedent for proactive regulatory measures that aim to protect the integrity and stability of financial markets.
FAQ
credit institutions;
payment institutions and electronic money institutions;
investment firms;
alternative investment fund managers;
(re)insurance undertakings, (re)insurance intermediaries and ancillary insurance intermediaries.
