Skip to main content

101 for board members and senior management 

The Digital Operational Resilience Act (DORA) is a comprehensive EU regulation aimed at enhancing the operational resilience of the financial sector by establishing consistent and prescriptive requirements for managing ICT risks and ensuring cyber resilience. An overlooked component is the extent to which DORA places a focus on business leaders to engage with the topic of operational resilience and to ultimately hold them accountable for making decisions based on clear risk-based principles. 

As the January 2025 deadline for full implementation draws closer, Thomas Murray is sharing insights and considerations based on our experience for board members and senior management.

Your contacts
Shreeji Doshi
Shreeji Doshi

Director, GRC | Cyber Risk

sdoshi@thomasmurray.com

Key takeaways 

1. Synthesising DORA requirements for the board members/ management body 

a. Ultimate Responsibility for ICT Risk Management: The management body bears full responsibility for managing the financial entity's ICT risk, including the implementation of an ICT risk management framework. 

b. Policy Development: The management body must establish policies ensuring the availability, integrity, authenticity, and confidentiality of data. Roles and responsibilities for ICT functions must be outlined and appropriate governance for communication, coordination, and cooperation between these functions. 

c. Digital Operational Resilience Strategy: The management body must set up and approve the digital operational resilience strategy, including determining the appropriate ICT risk tolerance level. 

d. Oversight of Business Continuity: The body must approve, oversee, and review the entity's ICT business continuity policy and ICT response and recovery plans, ensuring they are periodically updated and reviewed as needed. 

e. ICT Audits: The management body approves and periodically reviews ICT audit plans and audits, ensuring they remain relevant and up to date with ICT-related developments. 

f. Budget Allocation: Is responsible for allocating an appropriate budget to ensure that digital operational resilience needs, including ICT security awareness programs and training, are adequately funded. 

g. Third-party Risk Management: The body must approve and periodically review policies related to ICT third-party services, monitor material changes regarding third-party providers, and assess the potential impact of these changes on critical or important functions. 

h. Training and Knowledge: Members of the management body are required to maintain sufficient knowledge and skills related to ICT risk, ensuring they can adequately assess ICT risks and their impacts on operations. 

i. Reporting: The management body must put in place channels to receive reports on major ICT incidents, recovery measures, and potential impact 

2. Synthesising DORA requirements for senior management 

a. Monitoring ICT Third-Party Risks: Senior management must monitor arrangements with ICT third-party service providers and ensure the financial entity’s exposure to risk is well-documented and managed. 

b. Overseeing ICT Risk Management: They must ensure that the financial entity’s ICT risk management framework is implemented effectively, including responding to ICT-related incidents and performing necessary checks post-incident to maintain data integrity. 

c. Periodic Reporting: Senior management is responsible for reporting the findings related to digital operational resilience, including trends in ICT risk, to the board or management body annually. This report must include analysis of ICT-related incidents, cyber attack patterns, and the overall resilience of the financial entity’s ICT infrastructure. 

d. Participation in Crisis Management: In case of critical ICT-related incidents or the activation of ICT business continuity plans, senior management will play a role in ensuring internal and external crisis communication plans are executed effectively. 

e. Staff Training and Awareness: Senior management must oversee the development of ICT security awareness programs and ensure that both employees and management staff are adequately trained in digital operational resilience and ICT risk management​ 

3. Understanding potential impact of non-compliance 

DORA regulation provides a list of supervisory actions, it would be up to individual regulators in each member to define the nature of supervisory actions. It is more for board members and senior management to be aware of the supervisory actions included in the overall regulation, they include: 

  • Administrative fines 
  • Remedial measures to address any weaknesses 
  • Public reprimands 
  • Withdrawal of authorisation 
  • Orders for compensatory damages to the clients, customers or third parties 

4. Common challenges faced by organisations 

The elements contained within DORA are prescriptive and when considered alongside the scope of DORA, the extent of the requirements or many organisations will be new and require significant efforts to achieve compliance.  

  • Establishing the risk tolerance level for ICT risk, in accordance with the risk appetite along with assessment of ICT risk against define risk tolerance level 
  • Aligning ICT Incident Response processes to meet the 4-hour notifications timelines for major incident 
  • Ensuring Incident Response team can provide required data elements in various notification timelines 
  • Populating Registrar of Information (RoI) 
  • Creating inventory of business process, critical functions, ICT assets and ICT third parties 
  • Defining and implementing exit strategies for critical ICT third parties 
  • Managing implementation variations across group companies 

Our recommendations 

Act now, with the deadline for compliance fast approaching we recommend the following: 

1.Review the organisation’s current DORA compliance status 

  1. With only 4 months left to be compliant, it is important to perform a health check of DORA compliance. One way is to access a free self-assessment health check with Thomas Murray which can be requested here 
  2. More frequent reviews of the progress of action plans for DORA compliance by senior management 

2.Improve understanding of DORA along with understanding roles and responsibilities 

  1. Review the roles and responsibilities of the management body and senior management with the operational DORA compliance team in the context of your organisation. Thomas Murray offers an Executive Readiness Workshop, access this here 

3.Ask appropriate questions of your DORA compliance team to drive forward DORA compliance effectiveness, key example challenges to consider include: 

  1. How prepared are we for reporting to the Registrar of Information? 
  2. Can our organisation meet the reporting obligations of ICT Incidents and ad-hoc reporting? 
  3. What has been planned to meet the training and awareness obligations for the management body and senior management? 
  4. How is the legal team supporting the DORA operational team with contractual agreements aligned to DORA requirements? 

Are you ready for DORA?

With a deadline of January 2025 to be fully compliant with DORA, the Thomas Murray Executive Readiness for DORA Workshops present an opportunity for executives and board members to understand the scope and implications of DORA for their organisations. This includes understanding your organisation's current exposure to regulatory enforcement and punitive actions for non-compliance.

Schedule your workshop
DORA Digest: September 2024
DORA Digest

DORA regulation applies in:

0
Days
0
Hours
0
Minutes
0
Seconds

Subscribe to DORA Digest and stay up to date with the key issues

and developments unfolding as the countdown to DORA begins.

We safeguard clients and their communities

Petroleum Development Oman Pension Fund

Petroleum Development Oman Pension Fund

“Thomas Murray has been a very valuable partner in the selection process of our new custodian for Petroleum Development Oman Pension Fund.”

ATHEX

ATHEX

"Thomas Murray now plays a key role in helping us to detect and remediate issues in our security posture, and to quantify ATHEX's security performance to our directors and customers."

Communities Logo 02

Northern Trust

“Thomas Murray provides Northern Trust with a range of RFP products, services and technology, delivering an efficient and cost-effective solution that frees our network managers up to focus on higher Value activities.”