DORA, the Digital Operational Resilience Act, is an essential piece of regulation proposed by the European Union that aims to establish standardised rules for operational resilience within the financial sector. It applies not only to financial entities but also to information and communication technology (ICT) service providers. DORA seeks to safeguard the financial sector during operational disruptions by enforcing regulations that focus on the prevention, detection, containment, recovery, and repair of ICT-related incidents. By adhering to the requirements of DORA, financial entities can proactively manage risks and strengthen their operational resilience.
One notable change introduced by DORA is that the board of financial institutions is legally responsible for ICT risk, underscoring the significance of proactive measures and the need for organisations to treat operational resilience with significance.
Effective January 17th, 2025, DORA will apply to all financial entities operating within the jurisdiction covered by the regulatory authorities, including banks, insurance companies, investment firms, payment service providers, and other entities involved in financial services. All financial entities, regardless of their size, must comply with the regulatory requirements to ensure operational resilience, and this includes the ICT providers that serve them.
The Digital Operational Resilience Act (DORA) is composed of five components intended to formalise financial entities' requirements to create a more robust financial system. These components include:
DORA emphasises the need for a robust risk management framework that all companies must implement. Companies must take total responsibility for managing digital risks by implementing a governance and control structure that has a strategy based on risk tolerance that accounts for the recognition, prevention, and detection of risk and demonstrates the ability to respond to disruption, recover, and learn from incidents.
DORA promotes sharing threat intelligence and incident data among financial entities and their third-party ICT service providers to enhance resilience. Companies must use a standard methodology for incident reporting and classification, with criteria to determine the duration, impact, and criticality of services affected, with significant incidents needing to be reported to regulators promptly. This collaborative approach strengthens the sector's ability to detect, prevent, and respond to operational disruptions.
DORA highlights the importance of comprehensive supply chain management. Financial entities must assess the resilience of their third-party ICT service providers and ensure their compliance with DORA requirements. To help avoid systemic economic disruption, companies must monitor risk from technology providers throughout the relationship, using appropriate third-party risk management practices.
Companies should conduct comprehensive scenario testing of security and resilience, with the most critical firms requiring an independent tester to perform advanced large-scale penetration testing every three years on critical functions and ICT providers.
The guidelines promote collaboration among financial entities to raise awareness of ICT risks, limit the spread of cybercrime, and support mitigation strategies. By identifying the root causes and lessons learned, companies can implement proactive measures to prevent similar incidents.
1. Review the relevant legislation to determine if DORA applies to their organization.
2. Ensure the board is aware of their duties and obligations.
3. Conduct a GAP analysis to identify areas where the organization must meet the regulation's criteria for ICT functions, incident collection, reporting, and testing scenarios.
4. Develop a plan to address and close any identified gaps.
5. Collaborate with stakeholders such as business continuity, operational resilience, and third-party risk management teams to prioritise functions and review the results of a business impact analysis or end-to-end mapping.
6. Implement the steps before entering an ICT third-party agreement and meeting the requirements for exiting contracts.
In conclusion, DORA is an essential regulation that emphasises the importance of operational resilience in the financial sector. It is a critical step in protecting financial entities during operational disruptions and promoting the collaboration and sharing of information to mitigate cyber risk. Organisations must prepare and comply with the regulatory requirements to ensure that they can manage risks proactively and strengthen their operational resilience.