DORA Digest February 2024

Under the hood: DORA requirements in detail 

DORA seeks to ensure that risk management for Europe’s banking and financial infrastructure is not a tick-the-box exercise. It goes beyond setting out requirements by providing technical guidance, so that risk management procedures can be aligned to good practise and effectively implemented. Let’s look at them in more detail as they relate to DORA’s various Chapters and Articles. 

ICT risk management 

• ICT governance and organisation: Covers the requirement to have three lines of defence for ICT risk management and seeks to ensure that organisations have allocated resources and responsibility for managing ICT risk and ICT third-party risk.

• ICT risk management framework: Provides requirements for various components of an organisation’s ICT risk management framework, its ICT risk management framework review process, and its digital operational resilience strategy.

• Identification: Elaborates on the how organisation goes about identifying ICT risk. Includes (among other things) sources of risk identification, consideration of the criticality of ICT assets, ICT risk scenarios, and ICT risk assessments. Also includes methods for identifying critical business functions, ICT assets and ICT third parties that support critical functions.

• Protection and prevention: Describes the requirements for implementing ICT security policies, procedures, protocols, and tools that aim to ensure the resilience, continuity, and availability of ICT systems. 

• Detection: Provides requirements around implemented detection use cases, alert thresholds and resources for monitoring and detection. 

• Response and recovery: Covers requirements for organisations to have implemented ICT incident response and recovery processes, along with testing of the same and how it aligns to overall business continuity management. 

• Backup policies and recovery methods: Sets out requirements for organisations to implement backup policies and procedures to support the recovery process, along with requirements on restoration activities. 

• Learning and evolving: Includes requirements for organisation to continuously learn incidents, threat landscape and improving ICT risk management practices. 

• Communication: Provide requirements around sharing information in a coherent way during crisis. 

ICT-related incident management, classification, and reporting 

• ICT-related incident management process: Components to be considered in the ICT-related incident management process (and implementation of the same). 

• Classification of ICT-related incidents and cyber threats: Classification guidance for ICT-related incidents and, more specifically, what the various input parameters are for determining what counts as a significant ICT-related incident. 

• Reporting of major ICT-related incidents: Describes what the content of ICT-related incident reports should be, which authorities to report to, and what the timelines for reporting are. 

Digital operational resilience testing 

• General requirements: Expands on requirements to have a range of assessments, tests, methodologies, practices and tools, sourcing models for performing tests, and processes for remediating and reporting findings. 

• Testing of ICT tools and systems: Provides requirements on types of assessments and tests to be performed. 

• Advance testing based on threat-led penetration testing (TLPT): Provides requirements for conducting regular TLPT, requirements for internal testing team and external testing teams. 

Managing of ICT third-party risk 

• General principles: Covers requirements around (among other considerations) ICT third-party risk management frameworks that assess risk for ICT third parties across various risk domains like financial, legal, ICT security, etc., contracting, process of performing ICT third-party risk assessment. 

• Assessment of ICT concentration risk: This Article includes requirements for organisations to assess ICT concentration risk at a group level and for managing sub-contracting relationships. 

• Key contractual provisions: Details requirements around minimum contractual clauses of critical ICT third parties and non-critical ICT third parties. 

Pre-flight checklist: ready to go  

Here at Thomas Murray, we have developed a methodology that considers an organisation’s level of compliance against each of DORA’s individual requirements. This approach reflects the fact that most organisations that are in scope of DORA are likely to be at least partially in compliance with its requirements already. 

Using our Diligence tool, we can collect information and insights from across an organisation and review as required. For complex organisations, the assessment approach and tooling in place should be considered, because (as noted) there are extensive requirements that need to be reviewed, assessed, and potentially mapped to existing activities.  

This gap assessment is critical, as it will form the basis of the rest of the work the organisation needs to do in the run up to DORA coming into force in 2025. 

How the questionnaire works 

• The questionnaire is structured to mirror the DORA requirements.
• These requirements are broken down into multiple options for granular input and analysis, for example: 

• The scoring methodology is then normalised. This gives an organisation: 
  • the ability to easily report overall compliance, compliance for chapters/functions, etc; and 
  • an overview of how many requirements it has/has not met. 

Overcoming obstacles on the DORA compliance journey: governance bodies and frameworks 

The first step for any organisation, large or small, is to use a gap analysis of its existing controls and practises. This will establish areas in need of remediation. 

It should be stressed that a gap assessment should not be treated like an audit, but as an opportunity for the organisation to capture and understand areas for improvement and attention.  

For a gap analysis to be effective, resources will need to be assigned to it, stakeholders engaged, information and evidence collected, and formal findings (along with recommendations) developed.  

Any organisation with delegated practices or federalised management practices should bear in mind that multiple assessments may be needed to ensure the necessary DORA requirements are captured and assessed across the whole entity.  

Obligations under DORA are such that insights into the supply chain will need to be centrally reviewed to ensure concentrated risk is identified and assessed. 

Resources will need to be assigned to each of the activities needed so that projects can be spun up, required vendors engaged, and technology solutions procured.  

Those with existing governance frameworks can leverage those, though it is possible that a lot of organisations will need to develop an internal governance body to oversee the implementation of any changes or recommendations required to ensure compliance. This body should be responsible for overseeing any changes in the organisation with regard to its nuances and specific needs. 

With the governance body in place, the organisation will be well placed to implement the necessary policies and corresponding processes and procedures that are required to ensure compliance with DORA. The body can act as a mechanism for reviewing and approving documentation in a centralised manner, thereby avoiding the common pitfall that organisations fall into when producing policy documentations – that is, the “perpetual review cycle.” 

The necessary mechanisms and governance bodies required to ensure effective implementation of the DORA requirements will vary by organisation. However, the uncomfortable reality is that there is a less than a year to go until DORA comes into force, so appropriate planning is going to be fundamental to achieving compliance in time.