The Digital Operational Resilience Act – DORA – marks the latest chapter in regulators’ push for operational resilience. The regulation, which introduces a number of requirements tailored to financial firms operating in a digital world, was officially adopted by the EU in January 2023, and impacted organizations have until 2025 to comply.
While financial services firms in the United Kingdom and certain EU countries have had to comply with operational resilience requirements for some time, the passage of DORA is the first time that these regulations extend to the information and communication technology (ICT) service providers that support those functions critical to a firm’s important business services. Financial entities – like banks, insurance providers, credit institutions, investment firms, and crypto-asset service providers – will now need to ensure that the policies and processes of their ICT providers meet the new requirements. The service providers, in turn, must answer to regulators that they are aligned with the same rules that financial firms are beholden to.
The good news is that many of DORA’s requirements closely mirror other operational resilience regulations and industry best practices. However, the implementation timeline is aggressive, and a number of new digital and ICT-specific requirements must be considered. This is the time to understand what’s required and what actions are necessary to align your governance and practices with the Digital Operational Resilience Act.
The Five Pillars of DORA
The Digital Operational Resilience Act centers around five pillars relating to digital and cyber resilience. These pillars formalize and standardize third-party requirements for financial entities with the goal of building a more resilient financial system.
ICT risk management. Firms must take full accountability for managing ICT risks by instituting a digital operational resilience governance and control framework. The framework must include detailed strategies based on risk tolerance that account for the identification, prevention, and detection of risk. Firms also must demonstrate that they can respond and recover from disruption and learn and evolve from incidents.
Incident reporting and classification. DORA establishes a standard incident-classification methodology with criteria for duration, impact, and criticality of services affected. Significant incidents must be reported to regulators in a timely manner. This pillar is meant to streamline a number of existing EU incident-reporting obligations for financial services firms; however, many firms will need to expand the way they assess the quantitative impact and analyze the root causes to comply with DORA.
Digital operational resilience testing. Firms must run comprehensive scenario testing of security and resilience and fully address any vulnerabilities identified by the testing. The most important firms also must have an independent tester perform advanced large-scale penetration testing every three years on critical functions and ICT providers.
Information sharing between financial entities. The guidelines encourage collaboration among financial entities to raise awareness of ICT risks, minimize cybercrime’s ability to spread, and support mitigation strategies.
ICT third-party risk. To help prevent systemic economic disruption, firms must monitor risk from technology providers throughout the relationship, using sound third-party risk management practices.
How to Prepare Now for DORA
While much of DORA is purposely built on existing regulations in an effort to harmonize standards, compliance will take significant effort – and in a short time frame. Here are three steps to get started:
- Conduct a gap analysis. What provisions of the regulation are you already following – and what else needs to be done to comply? Many requirements center around the governance, risk, and compliance around ICT functions, collecting and reporting incidents, and scenario testing.
.
Identify where your shortfalls exist and create a plan with specific tasks to close the gaps.
- Coordinate with other stakeholders. Anyone working on DORA compliance will want to collaborate with overlapping efforts across the organization, including:
-
- Business continuity. DORA requires a comprehensive ICT business continuity policy. The idea is to build on existing best practices with significant consideration for business continuity and IT disaster recovery plans, particularly in response to a cyberattack. Adapting technology loss scenarios used for planning while simultaneously considering how a cyberattack could alter response and recovery can help you prepare more holistically for a cyber event.
- Operational resilience. Operational resilience activities that identify functions and processes supporting critical business services can help prioritize those functions under DORA. End-to-end mapping activities can provide a window to vulnerable resources, including risks that could affect technology availability and ICT systems. Testing types required by DORA can also be conducted in conjunction with scenario testing required by operational resilience. Technology-specific tests could be layered on resilience scenario-testing plans and used to substantiate that you are within stated impact tolerances.
- Third-party risk management. DORA outlines specific steps that organizations must take prior to engaging in a relationship with an ICT third party, such as determining if the provider will support critical/important functions and if the third party could aggravate concentration risk. This is an opportunity to collaborate with continuity, resilience, and third-party risk management teams and leverage the results of a business impact analysis or end-to-end mapping to determine the potential criticality of a third party. There are also requirements around exiting contracts in certain circumstances, which puts pressure on ICT providers to retain the same level of security as financial institutions. These requirements will benefit risk practitioners who often have the unenviable task of identifying a third party or concentration risk but lack the authority to keep the business from entering the relationship.
- Information technology. Financial entities and their ICT providers must maintain at least one secondary processing site with resourcing commensurate with business need. The secondary site must be geographically separated, capable of continuing critical services, and accessible to staff.
- Map your crisis communication plan. DORA outlines specific provisions around crisis communications surrounding significant disruption. Communication plans must consider both technical and nontechnical staff and identify public spokespersons. Firms also are required to have a crisis management function to coordinate activities. This codifies best practices that many organizations already follow to maintain a command-and-control structure during a disruption that isn’t solely staffed with technical expertise.
While DORA may seem like yet another cyber regulation, it is in fact a turning point that will force organizations to look at technology risk in new ways and build off the strength of other risk disciplines, including business continuity, operational resilience, and third-party risk management. Taking a comprehensive and holistic approach will help improve the overall resilience of your organization, as well as the financial sector as a whole.
Complying with the Digital Operational Resilience Act is your opportunity to accelerate strategic change in how you manage digital risk. And don’t delay – January 2025 will be here in no time.
For more on resilience, download our white paper, Operational Resilience: Navigating the Global Regulatory Landscape, and check out Riskonnect’s Business Continuity & Resilience software.