The use of information and technology is essential in the modern era as it supports complex systems used for daily activities. It plays a critical role in keeping our economies running, especially in key sectors such as finance, and improves the functioning of the internal market. However, as digitalization and connectivity continue to increase, so do the associated risks, making the financial system more susceptible to cyber threats and disruptions. Despite the global usage of technology and high digitalization and connectivity being a core feature of financial entities, their digital resilience remains insufficiently addressed and integrated into their broader operational frameworks.
The Digital Operational Resilience Act (DORA) of the EU aims to enhance, promote, and guarantee operational resilience in the financial services sector. It mandates that financial institutions comply with a set of obligations intended to safeguard their business lines against various risks and maintain operational resilience. Operational resilience refers to the ability to withstand, recuperate from, and adjust to unfavorable consequences that may impede or obstruct the delivery of services. Additionally, DORA will enforce particular obligations on selected information and communication technology service providers categorized to be important or critical. These providers will come under the purview of a novel direct regulatory oversight framework.
Time Frame
DORA was officially published in the Official Journal of the European Union on December 27th, 2022, and became effective from January 16th, 2023. This ground-breaking legislation introduces stringent new responsibilities for both financial institutions and essential third-party providers. As per DORA’s requirements, risk management frameworks, incident reporting, information sharing, and integration of contractual provisions into outsourcing arrangements. Recognizing the time required for companies to become compliant with DORA, the regulation stipulates a two-year implementation period, with the new regulations taking effect from January 17th, 2025.
Objective of DORA
DORA is built on five fundamental pillars that cover a wide range of ICT and cybersecurity domains, creating a comprehensive digital resiliency framework for the relevant entities. Below is a summary of the primary requirements or aspects under each pillar:
1. ICT Risk Management
The first pillar of DORA focuses on setting up and maintaining resilient ICT systems and tools that minimize the impact of ICT risk. All sources of ICT risks should be continuously identified to set-up protection and prevention measures. A prompt detection of anomalous activities should be established. Dedicated and comprehensive business continuity policies and disaster and recovery plans should be in place, ensuring a prompt recovery after an ICT-related incident. Establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents.
2. ICT Related Incident Reporting
The guideline includes,
Create and put in place a management process that can effectively track and document all incidents related to information and communication technology (ICT). Categorize the incidents based on the criteria stated in the regulation and expanded by the relevant supervisory authorities, such as EBA, EIOPA, and ESMA.
Guarantee the prompt reporting of all incidents to the proper authorities utilizing a uniform template and a standard procedure established by the supervisory authority in charge.
Provide the company’s users and clients with initial, intermediate, and final reports regarding any ICT-related incidents that occur.
3. Digital Operational Resilience Testing
It’s essential to periodically test the components of the ICT risk management framework to assess their readiness. Any shortcomings, inadequacies, or gaps must be identified and promptly addressed through the implementation of corrective measures.
Digital operational resilience testing requirements should be proportional to the size, business, and risk profiles of the entities. This ensures that the testing process is appropriate for the organization’s unique circumstances.
Conduct a Threat Led Penetration Testing (TLTP), commonly known as a Red/Purple Team Assessment, to address high-risk exposure levels. This testing approach will enable a comprehensive evaluation of potential vulnerabilities and identify areas that require improvement.
4. ICT Third-Party Risk
It’s critical to establish robust monitoring procedures for risks associated with reliance on third-party ICT providers. To facilitate comprehensive monitoring, key aspects of the service and relationship with these providers must be standardized.
Ensure that all contracts with third-party ICT providers include essential monitoring and accessibility details such as a comprehensive service level description, data processing locations, and other relevant information.
To promote consistency in the supervisory approach to third-party ICT risks, Union Oversight Framework should be used to subject service providers to appropriate regulatory scrutiny. This will help ensure that the risks posed by these providers are adequately assessed and managed.
5. Information Sharing
The guidelines aim to promote cooperation between reliable groups of financial institutions. This cooperation will have several benefits, such as strengthening the digital operational resilience of financial institutions, increasing awareness of ICT risks, reducing the ability of ICT threats to propagate, and providing support for institutions’ defensive and detection techniques, mitigation strategies, and response and recovery stages.
To achieve these benefits, financial institutions are urged to share cyber threat information and intelligence among themselves, while ensuring that the confidentiality of the shared information is protected through appropriate arrangements.
Would like to get more understanding on DORA? Talk to our expert here.
