Navigating the Digital Operational Resilience Act (DORA)
What is it, and what does it mean for Financial Institutions across the EU?
Introduction
The Digital Operational Resilience Act (DORA) is a new regulatory framework introduced by the European Union (EU) that aims at enhancing the operational resilience of financial institutions across the EU.
Introduced in December 2022, DORA is designed to address the ever-growing threat of cyberattacks and other disruptions that could pose significant threats to the financial system as a whole.
Companies will have a relatively short implementation period, as they will be expected to be fully compliant with the regulation by 17 January 2025.
Who is concerned?
“All financial market participants” will be concerned by the regulation. In article 2, DORA sets out a clear list of entities that will be affected.
In short, DORA will concern mainly 2 types of entities: Financial Institutions (banks, payment providers, credit institutions, investment firms, etc.) and ICT service providers (cloud providers, software providers, etc.).
The full list of concerned entities can be found here: https://www.digital-operational-resilience-act.com/Article_2.html
Understanding DORA
DORA and the proportionality principle
The Digital Operational Resilience Act (DORA) incorporates the principle of proportionality to guarantee that regulatory obligations are commensurate with the size, risk profile, and nature of financial institutions’ activities. This implies that smaller institutions with lower risk profiles will not be compelled to implement the same level of operational resilience measures as larger, more intricate institutions.
DORA and its 5 pillars
DORA introduces a comprehensive set of guidelines that financial institutions must comply with in order to strengthen their operational resilience. DORA covers 5 main pillars:
ICT Risk Management
DORA states in its article 5 that “financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk (…) in order to achieve a high level of digital operational resilience.”
This small sentence will have a profound impact on financial entities, as it means they will have to put in place a comprehensive ICT Risk Management Framework (ICT-RMF) as part of their overall risk management.
As part of that framework, concerned financial entities will have to:
- Identify their critical systems and functions, meaning any system or function that is deemed essential for business continuity.
- Develop and maintain strategies, procedures, ICT protocols and tools to protect information and ICT assets from any types of risks (such as damage, cyber-attacks, etc.). This can include Business Continuity Management (BCM) and Disaster Recovery (DR) policies and/or procedures, etc.
- Create a dedicated control function to manage and oversee ICT risk.
- Define a holistic ICT multi-vendor strategy designed to avoid over dependency.
- ICT-related incident management, classification, and reporting
DORA states in its article 18 that “Financial entities shall classify ICT-related incidents and shall determine their impact” and in its article 19 that “Financial entities shall report major ICT-related incidents to the relevant competent authority”.
In short, under DORA, financial entities will now have to classify, notify, and report ICT-related incidents to their respective national regulator(s).
As part of this framework, financial entities must:
- Develop and maintain efficient procedures to document and categorize all noteworthy ICT incidents, necessitating well-established incident management capabilities to oversee, address, and resolve each incident.
- Inform clients and other financial entities in case of a major ICT incident and provide them with details regarding suitable security measures.
- Submit an initial, intermediate and final report to the competent national regulator or authority.
- Digital operational resilience testing
In its article 24, DORA states that “(…) financial entities (…) shall, taking into account the criteria set out in Article 4(2), establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework (…)”.
DORA thus introduces Operational Resilience Testing requirements for financial entities, who will now have to:
- Develop, maintain, and review a sound and comprehensive digital operational resilience testing program as an integral part of the ICT risk-management framework.
- Conduct yearly tests on all ICT systems and applications supporting critical or important functions. These tests must be conducted by independent parties, whether internal or external.
- Develop, maintain, and review procedures and policies to prioritize, classify and remedy all issues revealed throughout the performance of the tests and establish internal validation methodologies to ensure that all the identified weaknesses, deficiencies or gaps are fully addressed.
- Managing of ICT third-party risk
In its article 28, DORA states that “Financial entities shall manage ICT third-party risk as an integral component of ICT risk within their ICT risk management framework”.
This means that third-party risk management is now fully mandatory, and financial entities must:
- Ensure that the contracts with third-party ICT providers include all necessary monitoring and accessibility requirements, as well as the required contractual terms.
- Develop, maintain and review an ICT third-party risk strategy as an integral component of their comprehensive ICT risk management framework. This strategy should include policies and procedures governing the utilization of ICT services offered by third-party providers that support critical or significant functions.
- Maintain and update an information register pertaining to all contracts formed with external service providers.
- Provide the competent national authority with an annual report that details the number of new agreements made with third-party service providers, the different categories of these providers, the types of contracts established, and the specific ICT services and functions being offered. Additionally, any upcoming contractual arrangements involving the use of ICT services that support critical or essential functions must be promptly communicated to the competent authority.
- Ensure that proper pre-contract due diligence be observed with third-party ICT service providers.
- Information-sharing arrangements
In its article 45, DORA states that “Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools”.
Financial entities, under DORA, are thus allowed to exchange information between themselves as long as they pertain to cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools.
Compliance and Enforcement Mechanisms
Financial entities have a little more than a year to become fully compliant with the regulation. As of early January 2025, regular audits and evaluations will be conducted on financial institutions to validate their compliance with the updated regulations. Failure to comply with DORA may lead to significant penalties, such as operational limitations, license revocations, administrative fines, and reputational harm. The severity of these sanctions will be assessed individually, considering the seriousness and nature of the non-compliance, the institution’s compliance history, and the potential impact on financial stability.
In Conclusion
The Digital Operational Resilience Act (DORA) is a significant milestone in fortifying the operational resilience of the European financial system. DORA mandates proactive risk management, improved governance, and robust compliance measures to ensure the stability and resilience of the financial sector in the face of increasingly sophisticated threats.
To comply with DORA, financial institutions must adopt a proactive approach and develop comprehensive strategies that align with the new regulations, integrating operational resilience into their core business processes. By embracing the principles of DORA and implementing effective measures, institutions can strengthen their ability to withstand disruptions, safeguard customer data, and contribute to the overall stability of the financial system.
Taleo, as an expert consulting firm, can help you navigate the complexities of DORA and achieve effective compliance. We can offer guidance, support, and resources to help your organization assess its current operational resilience posture, develop comprehensive compliance strategies, and implement the necessary measures to meet DORA’s stringent requirements. By leveraging our expertise, your organization can expedite its transition to DORA compliance, minimize disruptions, and enhance its overall operational resilience.
Source:
https://www.fieldfisher.com/en/insights/managing-ict-third-party-risk-under-dora
https://www.digital-operational-resilience-act.com/
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554
Taleo
Amsterdam
1101 DL Amsterdam Netherlands
Barcelona
08037 Barcelona Spain
Brussels
1050 Bruxelles Ixelles
Belgium
Geneva
1207 Genève Switzerland
Luxembourg
L-1611 Luxembourg Luxembourg
Paris
75002 Paris France
Singapore
#06-01 SBF Center
068914 Singapour Singapore