About the author
Managing Consultant | Advisory
Christine Young joined Thomas Murray’s Advisory team in 2022, after 30 years in the asset servicing sector. Her previous role was at BNY Mellon, where Christine was responsible for the risk and regulatory control function in the asset servicing business, having led the development of the control framework for the business. She has also held roles in sales, corporate development and relationship management. Christine has both legal and accounting qualifications, and extensive experience in working on multi-discipline projects in global jurisdictions.
Everyone is talking about Regulation (EU) 2022/2554, the Digital Operational Resilience Act. It goes by the rather catchier name of DORA, and is well worth getting to know. Even if your organisation isn’t based in the EU, chances are it will come within DORA’s reach.
DORA: What it is, who it affects, and when it comes into force
WHAT: DORA is a European Union regulation, handing the EU regulators wide-ranging powers over how financial institutions select and manage their providers of information and communications technology (ICT). It sets out the standard requirements any organisation operating in the financial sector needs to meet when it comes to network and data system security.
It also imposes those same requirements on the critical third parties (CTPs) that provide information and communications technology services to those organisations.
That’s because, as the name suggests, DORA is focused on boosting the financial sector’s operational resilience in the face of its dependence on ICT. DORA replaces the EU’s existing ICT guidelines with much tougher requirements – part of a belated realisation by financial regulators around the world that the entire financial system is at risk should these services fail.
WHO: Because risk knows no borders, DORA will also affect firms outside the European Union if they’re doing business there. Organisations that will fall under DORA’s remit include:
- Investment managers
- Credit and payment institutions
- Cryptocurrency firms and others dealing in electronic money
- Insurance companies
- Almost all third-party ICT service providers (providers of straightforward phone services are exempted)
WHEN: Affected firms will have to demonstrate compliance with DORA by 17 January 2025. The clock is ticking, so here’s five things you can make a start on now so you can be ready in time.
Five ways to get ready for 17 January 2025
1. Develop a risk management framework for your ICT
No matter how robust your ICT risk strategy is, there could be challenges in adapting it to DORA. The sooner those challenges can be addressed, the better.
Your organisation will already have a risk management strategy in place, so that’s a good place to start. Develop a thorough understanding of the risk management framework that DORA sets out, and map your own against it. This will highlight any areas where your ICT handling needs to be improved, as well as where you are already meeting the compliance thresholds.
To be sure that you have covered all the bases, it may also be wise to measure yourself against the US National Institute of Technology’s Cyber Security Framework (the NIST framework). Although its adoption is voluntary, the influence of the NIST framework on DORA is clear.
2. Nail down your own digital operational resilience strategy
Once the ICT framework is in place, it will be able to support your strategy. Decide how you will address your ICT risks and achieve your ICT aims.
Incorporate it into your wider business strategy, so that all third-party due diligence accounts for broader ICT risks posed by your partners and suppliers.
3. Establish your incident reporting method in line with DORA requirements
We have been promised technical standards for the classifying and reporting of data and cyber security incidents. In the meantime, we know that DORA specifies an incident management process. This process means that financial organisations will have to classify their cyber incidents and provide detailed reports to “a competent authority,” which will provide feedback.
It may be tempting to view a standardised reporting process as bureaucratic paperwork, but on the plus side patterns will emerge that could generally improve all risk management strategies. Incident reporting is critical to promoting a transparent and proactive security culture at an organisational and national level.
4. Start adapting your testing to DORA standards
Once DORA takes effect you will have to be able to test your digital operational resilience in a way that:
- meets its exacting requirements; and
- is tailored to your organisation and covers a wide range of potential issues.
Bear in mind that DORA requires all financial organisations, except micro-enterprises,* to undergo threat-based penetration testing by an independent expert.
*In the EU, that would mean a balance sheet below €2m and fewer than ten employees.
5. Review the way you manage your ICT service providers
The managing and handling of ICT service providers is arguably the area where DORA differs the most from the old ICT guidelines, while adding several requirements.
The clearest evidence of the new approach is the way in which DORA aims to minimise dependence on critical ICT third parties:
- The data security standards that vendors have to meet are much higher than before.
- Financial institutions will have to provide a multi-vendor strategy, demonstrating that they have diversified to minimise their exposure to concentration risk. “Concentration risk” is how the banking industry describes the risk that arises when firms are too reliant on a single counterparty, sector or country. DORA therefore also demands that all vendors be subjected to pre-assessments of their concentration risks.
- Firms must be able to show that their third parties can easily be substituted, and that they have an exit strategy for each of them.
Whether meeting DORA thresholds means you’re starting afresh or simply tweaking your existing approach, we’re here to help. Our leading cyber security solutions are tailor-made for third-party risk management and compliance in the financial services industry. Talk to one of our experts about the challenges that you’re facing and how we can work with you to overcome them.