Digital Operational Resilience Act (DORA)
- The DORA regulation requires financial institutions and their ICT services providing companies to build digital resilience into all levels of their operations.
- The organisations concerned shall urgently start to assess the shortcomings by performing a gap assessment and prepare a roadmap to achieve compliance.
The digitisation of the financial sector and paralelly its exposure is ever increasing. To date, different financial supervisors across the EU have addressed ICT risks in different ways and with different levels of effectiveness.
EU Regulation 2022/2554 on digital operational resilience for the financial sector, officially known as the Digital Operational Resilience Act (DORA), aims to standardise and improve ICT risk management practices in the EU financial sector. This is intended to be achieved by consolidating risk management requirements for financial institutions and their ICT services providing third parties, i.e. by defining common requirements.
What is crucial to know about the DORA regulation?
Unlike other EU legislations on cybersecurity, DORA is not a principle-based legislation, but a detailed list of requirements aimed at enhancing the operational and security capabilities of financial institutions. Although DORA builds on previous EU and national legislation, guidelines from supervisory authorities, international security and ICT risk management standards, it is in fact the first attempt to harmonise the quality requirements for ICT risk management at EU level and to standardise the regulatory framework.
Compliance with the new requirements is a shared interest between financial institutions and their critical external ICT service providers, thus compliance requires joint work, cooperation and coordination.
While not all requirements are entirely new, it is worth noting that the criteria to be met are now based on binding EU and national laws and regulations, not just ICT standards and official guidelines anymore.
Another important consequence is that ICT service providers will become semi-supervised entities, the European Supervisory Authorities will be empowered to assess and guide them, with the authority to impose sanctions for non-compliance.
The European Commission proposed a completely new regulatory framework for digital risk management for financial institutions and some ICT service providers back in September 2020.
The DORA Regulation was published in the Official Journal of the European Union on 27 December 2022. It entered into force on 16 January 2023 and will be applicable from 17 January 2025.
In the next 24 months the authorities will finalise the detailed rules defined in the Regulatory Technological Standards (RTS) and Implementation Technical Standards (ITS), and this 24 months serves as a grace period for the concerned organisations to prepare. During this period, detailed clarifications will be made to the rules, without modifying the provisions of the basic body text of the regulation already in force. Achieving compliance will be a time-consuming and resource-intensive task, so it is worth starting preparations in good time to ensure that the organisation will be ready by the end of the 24 months.
When the next 24 months pass (by the end of 2024), the Regulation will become compulsory, except for the chapters requiring penetration tests, for which an additional 12 months grace period will be granted.
Who is in scope of the DORA Regulation?
As one of the main objectives of the Regulation is to harmonise the rules on ICT risk management, the scope of DORA is quite broad. It covers all financial actors from credit institutions to payment institutions and insurance companies.
DORA regulates the critical ICT service providers also, including for example cloud service providers, in addition to financial operators. It is proposed that each critical ICT service provider will have a Lead Overseer (the EBA, ESMA or EIOPA) who will supervise the service provider's processes and measures to address potential ICT risks to financial actors. The powers of the Lead Overseer could range from requesting information to conducting investigations and imposing coercive fines on service providers.
What are the main obligations outlined in DORA?
DORA sets out a comprehensive framework to address the risks associated with the increasing digitalisation of the financial sector, dividing the regulation into the following chapters:
ICT risk management
The governing body of the financial institution retains ultimate responsibility for managing ICT risk. Thus, the DORA lists the roles and responsibilities of the board, including the explicit obligation for board members to develop and maintain their knowledge of ICT risks.
Financial institutions should identify their ICT risk environment, have a comprehensive ICT risk management framework in place to guide and direct all work related to ICT risk management. Financial organisations (with the exception of micro-enterprises) are also required to implement and operate an internationally recognised information security management system.
ICT-related incident management, classification and reporting
Financial institutions are required to implement an ICT-related incident management process and develop capabilities to monitor, manage and follow up on such incidents.
Incidents must be classified according to the factors defined in the Regulation, such as the geographical scope of the incident, the criticality of the services involved, or the duration of the incident. Serious incidents must be reported to the competent authority in accordance with the three-tiered procedure defined in the Regulation.
Digital operational resilience testing
DORA requires the implementation of a proportionate and risk-based digital operational resilience testing programme. This program must provide a full range of tests, such as vulnerability assessments, scans, and network security assessments.
Critical ICT systems and applications must be tested annually, and some financial organisations are also required to carry out Threat Led Penetration Testing (TLPT) once every three years.
Managing of ICT third-party risk
DORA considers the risks third parties face providing ICT services to a financial institution as an integral part of the ICT risk management framework. Financial institutions are therefore required to regularly review their ICT third party risk strategy and to maintain a register of all contractual arrangements with ICT third parties.
The DORA also defines the most important steps for the deployment of new ICT services, the requirements for the termination of services, and specific provisions to be included in contracts with external service providers. It also requires financial institutions to carry out ICT concentration risk assessments before entering into new contractual arrangements.
Financial institutions may share cyberthreat and intelligence information with each other, provided that such information sharing is aimed at enhancing the digital operational resilience of financial institutions, takes place within trusted communities and is in accordance with applicable laws (e.g. laws on data protection, trade secrets and competition)
How to prepare
Fortunately, the overall picture is now somewhat clearer. However, the details of the newly established requirements will still be determined by the supervisory authorities (EBA, ESMA, EIOPA) through second-level measures as Regulatory Technology Specifications (RTS) and Implementing Technical Standards (ITS).
All parties concerned shall follow up the discussions on the development of the Level 2 measures in order to meet the final requirements in time.
DORA is an important step forward in improving the security maturity of financial institutions and their ICT service providers. Uniform, transparent and accountable regulation in this area is the cornerstone of a cybersecurity-resilient and up-to-date enterprise and an important bastion of our digital society.
Financial institutions, ICT service providers and partners providing critical services to the financial sector are advised to plan and comply with the tightened or completely new requirements by the end of 2024. Some of the requirements will not represent significant changes to current frameworks and arrangements, while others will require a lot of time, coordination and effort from a wide range of professionals within organisations.
SOCWISE has advised on a wide range of projects in the areas of ICT risk management, resilience, cybersecurity, third party management and the financial sector regulatory framework.
Our colleagues have many years of consulting experience with clients in the financial and ICT sectors and have a broad range of expertise in compliance, management decision support and risk assessment (GRC) that can be applied to DORA preparation.
Please feel free to contact us in order to ask for a proposal, or to find out more on any of the following topics:
- Gap analysis with the aim to develop a roadmap to meet the required operational resilience framework
- Identification and registration of critical ICT service providers
- Supplier management / Third Party Risk Management (TPRM)
- Incident management and reporting
- Business continuity and disaster recovery assessment