Digital Operational Resilience Act (DORA) – A Brief Overview

Digital Operational Resilience Act (DORA) – A Brief Overview

Vinod Menon
Vinod Menon
Chief Product Officer
Vinod Menon
Vinod Menon
Chief Product Officer

The use of information and technology is essential in the modern era as it supports complex systems used for daily activities. It plays a critical role in keeping our economies running, especially in key sectors such as finance, and improves the functioning of the internal market. However, as digitalization and connectivity continue to increase, so do the associated risks, making the financial system more susceptible to cyber threats and disruptions. Despite the global usage of technology and high digitalization and connectivity being a core feature of financial entities, their digital resilience remains insufficiently addressed and integrated into their broader operational frameworks.

The Digital Operational Resilience Act (DORA) of the EU aims to enhance, promote, and guarantee operational resilience in the financial services sector. It mandates that financial institutions comply with a set of obligations intended to safeguard their business lines against various risks and maintain operational resilience. Operational resilience refers to the ability to withstand, recuperate from, and adjust to unfavorable consequences that may impede or obstruct the delivery of services. Additionally, DORA will enforce particular obligations on selected information and communication technology service providers categorized to be important or critical. These providers will come under the purview of a novel direct regulatory oversight framework.

Time Frame 

DORA was officially published in the Official Journal of the European Union on December 27th, 2022, and became effective from January 16th, 2023. This ground-breaking legislation introduces stringent new responsibilities for both financial institutions and essential third-party providers. As per DORA’s requirements, risk management frameworks, incident reporting, information sharing, and integration of contractual provisions into outsourcing arrangements. Recognizing the time required for companies to become compliant with DORA, the regulation stipulates a two-year implementation period, with the new regulations taking effect from January 17th, 2025.

Objective of DORA

DORA is built on five fundamental pillars that cover a wide range of ICT and cybersecurity domains, creating a comprehensive digital resiliency framework for the relevant entities. Below is a summary of the primary requirements or aspects under each pillar:

1. ICT Risk Management

The first pillar of DORA focuses on setting up and maintaining resilient ICT systems and tools that minimize the impact of ICT risk. All sources of ICT risks should be continuously identified to set-up protection and prevention measures. A prompt detection of anomalous activities should be established. Dedicated and comprehensive business continuity policies and disaster and recovery plans should be in place, ensuring a prompt recovery after an ICT-related incident. Establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents.

2. ICT Related Incident Reporting

The guideline includes,

Create and put in place a management process that can effectively track and document all incidents related to information and communication technology (ICT). Categorize the incidents based on the criteria stated in the regulation and expanded by the relevant supervisory authorities, such as EBA, EIOPA, and ESMA.

Guarantee the prompt reporting of all incidents to the proper authorities utilizing a uniform template and a standard procedure established by the supervisory authority in charge.

Provide the company’s users and clients with initial, intermediate, and final reports regarding any ICT-related incidents that occur.

3. Digital Operational Resilience Testing

It’s essential to periodically test the components of the ICT risk management framework to assess their readiness. Any shortcomings, inadequacies, or gaps must be identified and promptly addressed through the implementation of corrective measures.

Digital operational resilience testing requirements should be proportional to the size, business, and risk profiles of the entities. This ensures that the testing process is appropriate for the organization’s unique circumstances.

Conduct a Threat Led Penetration Testing (TLTP), commonly known as a Red/Purple Team Assessment, to address high-risk exposure levels. This testing approach will enable a comprehensive evaluation of potential vulnerabilities and identify areas that require improvement.

4. ICT Third-Party Risk

It’s critical to establish robust monitoring procedures for risks associated with reliance on third-party ICT providers. To facilitate comprehensive monitoring, key aspects of the service and relationship with these providers must be standardized.

Ensure that all contracts with third-party ICT providers include essential monitoring and accessibility details such as a comprehensive service level description, data processing locations, and other relevant information.

To promote consistency in the supervisory approach to third-party ICT risks, Union Oversight Framework should be used to subject service providers to appropriate regulatory scrutiny. This will help ensure that the risks posed by these providers are adequately assessed and managed.

5. Information Sharing

The guidelines aim to promote cooperation between reliable groups of financial institutions. This cooperation will have several benefits, such as strengthening the digital operational resilience of financial institutions, increasing awareness of ICT risks, reducing the ability of ICT threats to propagate, and providing support for institutions’ defensive and detection techniques, mitigation strategies, and response and recovery stages.

To achieve these benefits, financial institutions are urged to share cyber threat information and intelligence among themselves, while ensuring that the confidentiality of the shared information is protected through appropriate arrangements.

Would like to get more understanding on DORA? Talk to our expert here.

Recent Blog’s

Share

Explore more

DORA's Role in Enhancing ICT Risk Management - Gieom
Risk Management

Fortifying Digital Frontiers: DORA’s Role in Enhancing ICT Risk Management

In the complex world of contemporary finance, where new digital innovations occur at a dizzying rate and new cyber dangers appear at every turn, the …

ICT Risk Management: Outline of DORA Article 5-16 - Gieom
Risk Management

The ICT Risk Management Revolution: An Outline of DORA Articles 5-16

Due to continuous digital advancements, the financial sector is seeing significant hurdles in handling and reducing information and communication technology (ICT) risks. The Digital Operational …

Regulatory Expectations Resilience Testing Dora
Compliance Assurance

DORA – Digital Operational Resilience Act – 10 Expectations From Resilience Testing by the Regulator

DORA expects financial entities to establish, maintain, and review a sound and comprehensive digital operational resilience testing program as an integral part of the ICT …

Dora Navigating ICT Business Continuity
Compliance Assurance

Navigating Digital Operational Resilience Act (DORA): Unveiling the ICT Business Continuity Management Landscape

As part of the regulatory framework, financial entities must establish an ICT Risk Management framework, with specific requirements tailored for smaller financial entities outlined in …

Switch to Digital SOPS
SOP Digitization

Embracing Digital SOPs: Why Your Company Should Make the Switch!

Digital Standard Operating Procedure (SOPs) are documents having set of instructions which are maintained in an electronic way. Every company requires SOPs to circulate it …

Optimizing Operational Risk
Risk Management

Optimizing Operational Risk: A Strategic Edge for Your Competitive Success

The Basel Committee on Banking Supervision defines operational risk as the risk of loss resulting from inadequate or failed internal processes, systems, and people. Operational …

Unlocking Excellence Adhering to DORA
Compliance Assurance

Unlocking Excellence: The Significance of Adhering to Digital Operational Resilience Act (DORA)

In our digital era, reliance on information and communication technology (ICT) continues to grow. The heightened digitization and interconnectivity, however, escalate the risks associated with …

Dora Compliance
Compliance Assurance

Top Reasons to Adopt Dora Compliance in a Tech-Driven Financial World

THE DIGITAL OPERATIONAL RESILIENCE ACT (DORA): The European Commission, European Council Presidency, and European Parliament introduced DORA in 2020 to establish a structure for financial …

Digital Identity

Top 4 Reasons How Banks and Financial Organisations Benefit from Strong Policy Management Systems

WHAT IS POLICY MANAGEMENT AND WHY IS IT IMPORTANT: Policy management is a crucial procedure in financial institutions involving the development, execution, and revision of internal …

Organizational Culture and Employee Engagement Through SOP Digitization
SOP Digitization

Enhancement of Organizational Culture and Employee Engagement Through SOP Digitization

Importance Of Sop Digitization: Within business operations, Standard Operating Procedures (SOPs) have traditionally served as the foundation for enhancing efficiency, ensuring uniformity, and maintaining quality …

The Role Of Technology In Automating Policy Compliance
Compliance Assurance

The Role Of Technology In Automating Policy Compliance

WHAT IS COMPLIANCE? Compliance is a multifaceted process that ensures an organization follows applicable laws, regulations, and internal norms. Understanding and interpreting critical legal requirements …

Process Mapping – The What, Why and How?
Operational Resilience

Process Mapping – The What, Why and How?

What is Process Mapping? Let us break down the words. Process means “a series of actions you do for a particular purpose that produce an …

The Role of Process Mapping in Change Management
Operational Resilience

The Role of Process Mapping in Change Management

Change is constant in the fast-paced world of business. Companies must frequently adjust operations to respond to market developments, technology advancements, or internal reorganisation. Process …

Overview of the Australian Operational Resilience Regulatory Guidelines
Operational Resilience

Overview of the Australian Operational Resilience Regulatory Guidelines

The objective of this Prudential Standard CPS 230 is to establish and uphold operational resilience for APRA (Australian Prudential Regulation Authority) regulated entities. Such entities …

How Financial Institutions can benefit from Incident Management Solution?
Incident Management

How Financial Institutions can benefit from Incident Management Solution?

Financial institutions, such as banks, insurance companies, and investment firms, face various challenges in their daily operations. They have to deal with complex regulations, high …

From Spreadsheets to Success: Advantages of Operational Risk Management Software for Financial Organizations
Risk Management

From Spreadsheets to Success: Advantages of Operational Risk Management Software for Financial Organizations

Many financial organizations still rely on spreadsheets to manage their operational risk data. While spreadsheet is a powerful and versatile tool, it has some limitations …

Building Resilience: The Crucial Role of Policy Management Solutions in Compliance with the Digital Operational Resilience Act(DORA)
Operational Resilience

Building Resilience: The Crucial Role of Policy Management Solutions in Compliance with the Digital Operational Resilience Act(DORA)

A policy management solution is of utmost importance from a Digital Operational Resilience Act (DORA) regulation perspective. The DORA regulation aims to ensure the operational …

SOP Digitization Solution
SOP Digitization

How to Choose the Right SOP Digitization Solution?

Standard operating procedures (SOPs) are essential for any business that wants to ensure quality, consistency and compliance in its processes. However, managing SOPs can be …

Why is it Important for the Financial Institution to Digitize its Standard Operating Procedure?
SOP Digitization

Why is it Important for the Financial Institution to Digitize its Standard Operating Procedure?

The financial sector is undergoing a rapid transformation due to the emergence of new technologies, changing customer expectations, and increasing regulatory demands. In this context, …

6 Simple Steps for Implementing an Operational Resilience Framework
Operational Resilience

6 Simple Steps for Implementing an Operational Resilience Framework

On March 29, 2021, the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) jointly issued policy and supervisory statements to …

Operational Resilience Program – Steps to Conduct a Failure Modes and Effect Analysis (FMEA)
Operational Resilience

Operational Resilience Program – Steps to Conduct a Failure Modes and Effect Analysis (FMEA)

Basel defines Operational Resilience as a bank`s ability to deliver critical operations even at times of disruption. This would mean that the bank should have …

Impact Tolerance – Setting Impact Tolerance is a Vital Step to Build and Enhance Operational Resilience of an Organisation
Operational Resilience

Impact Tolerance – Setting Impact Tolerance is a Vital Step to Build and Enhance Operational Resilience of an Organisation.

Impact Tolerance is quantifying the level of disruption, a critical business service can accommodate or absorb, before such disruption creates a significant impact or harm …

Improve your Organisation’s Decision Making and Response Mechanism through an Integrated Risk & Resilience Approach
Risk Management

Improve your Organisation’s Decision Making and Response Mechanism through an Integrated Risk & Resilience Approach

During last twelve to twenty four months we have all experienced extraordinary uncertainty primarily due to natural calamity, COVID-19 pandemic, unstable global economy,  political differences …

Operational Resilience Programme – Digitize your BIA (Business Impact Analysis) – An Important Step
Operational Resilience

Operational Resilience Programme – Digitize your BIA (Business Impact Analysis) – An Important Step

Let’s first try and understand what is a BIA? Business Impact Analysis is a methodology which allows to predict the impact of disruption on your …

Synopsis of the Operational Resilience guideline of MAS- Monetary Authority of Singapore
Operational Resilience

Synopsis of the Operational Resilience guideline of MAS- Monetary Authority of Singapore

Operational disruptions, if not recovered speedily, may compromise the ability of financial institutions (“FIs”) to meet their business obligations, resulting in financial and reputational damage, …

The What and Why of BPMN – Business Process Model and Notation
BPMN

The What and Why of BPMN – Business Process Model and Notation

The Business Process Model Notation (BPMN) is a graphical representation for specifying business processes in a business process model. The objective of BPMN is to …

Key Highlights of APRA`s Discussion Paper on Strengthening Operational Risk Management
Risk Management

Key Highlights of APRA`s Discussion Paper on Strengthening Operational Risk Management

Events of recent years like COVID-19, cyber-attacks, flood and storms etc. has reinforced the importance of managing and responding to operational risks. To ensure that …

An Integrated Risk and Resilience Framework – A Better Approach to Manage Uncertainty
Risk Management

An Integrated Risk and Resilience Framework – A Better Approach to Manage Uncertainty

Businesses across the globe have, in the last couple of years, seen exceptional uncertainty due to political tensions, economic turmoil, COVID-19 pandemic and others.   Markets …

The Seven Steps to Implementing an Effective Risk Management Process
Risk Management

The Seven Steps to Implementing an Effective Risk Management Process

Risk Management Process is a methodology by which risks are formally identified, measured and treated to ensure that risk is avoided, transferred or mitigated. As …

Simple steps to Automate and Standardise your Risk & Control Self Assessment (RCSA)
Risk Management

Simple steps to Automate and Standardise your Risk & Control Self Assessment (RCSA)

Risk and Control Self Assessment process is a widely accepted methodology used by banks, financial companies, insurance companies and others to identify and assess the …

Key Risk Indicators -A Powerful Tool to Anticipate Your Risk Within the Enterprise
Risk Management

Key Risk Indicators -A Powerful Tool to Anticipate Your Risk Within the Enterprise

In simple terms, Key Risk Indicator (KRI) is a metric used to measure the level of exposure to risk. These are indicators that denote the …

Hongkong’s Regulations for Operational Resilience
Operational Resilience

Hongkong’s Regulations for Operational Resilience

On 22nd December, 2021 HKMA (Hong Kong Monetary Authority) came up with a Supervisory Policy Manual for Operational Resilience to provide Authorized Institutions (AI) with …

Irelands’ Financial Service Sector Guidance on Operational Resilience
Operational Resilience

Irelands’ Financial Service Sector Guidance on Operational Resilience

The Central Bank of Ireland`s objective of this guidance is to communicate to industry how to prepare for, respond to and recover and learn from …

New Operational Resilience Regulation
Operational Resilience

New Operational Resilience Regulation for Financial Institutions in United States (USA)

The Federal Reserve, the Central Bank of the United States in August 2021 has released a paper intended to help community banks assess threats when …

Process Mapping Operational Resilience Framework
Operational Resilience

Process Mapping is an important step in building an Operational Resilience Framework

The Covid -19 pandemic has clearly shown two trends within firms: The intensified use of technology and Operations can be managed through digital work force …

What is Game-Based Employee Onboarding?
Game-based Learning

What is Game-Based Employee Onboarding? Tips and tricks to implement the right gamification strategy

Learning begins with joining. Effective Onboarding contributes to a newbie commencing with confidence, feeling supported, and acclimatizing much sooner. Conversely, employees who spend weeks and …

Strategies for Improving Banks Operating Efficiency
Digital Transformation

Strategies for Improving Banks’ Operating Efficiency

Banks occupy a place of pride because of its structure of undivided attention and contemporary functions. They have come an extended way from merely performing …

Get started with Digital Identity Verification
Digital Identity

Get started with Digital Identity Verification

In a growing interconnected digital economy, identity verification of an individual’s real-world identity against their digital one has become ever critical in fraud detection. The …

Importance of Operational Resilience
Operational Resilience

Growing Importance of Operational Resilience in the Digital Era

Operational Resilience assumes that things will go wrong, and it will force organizations to plan on how to recover from the disruption. It is a …

Why are organizations jumping onto the AI-enabled Identity verification bandwagon?
Digital Identity

Why are organizations jumping onto the AI-enabled Identity verification bandwagon?

Who has not experienced being asked to show some kind of government ID, be it to receive your courier, or check into a hotel, or …

What is Identity Proofing?
Digital Identity

What is Identity Proofing?

As per the Digital Identity Guidelines published by NIST, a US agency, Identity Proofing is verifying the claimed identity of an applicant by authenticating the …

New Amendment to KYC Regulation by RBI
Digital Identity

New Amendment to KYC Regulation by RBI – 10th May, 2021

In Jan 2020, Reserve Bank of India amended the KYC norms allowing banks and other lending institutions to use Video based Customer Identification Process (VCIP) …

Successful Execution of a Digital Transformation Project
Digital Transformation

5 Steps to a Successful Execution of a Digital Transformation Project

Digital Transformation is bringing about a radical shift in the way you run your business, deliver services or manage your customers. The objective of digital …