Top five items for your DORA to-do list

Get ready to meet DORA

Everyone is talking about Regulation (EU) 2022/2554, the Digital Operational Resilience Act. It goes by the rather catchier name of DORA, and is well worth getting to know. Even if your organisation isn’t based in the EU, chances are it will come within DORA’s reach.

DORA is set to significantly impact the financial sector by enforcing stringent requirements on information and communications technology (ICT) security. Even firms outside the EU conducting business there must comply. With the compliance deadline looming, it is vital that organisations start preparing or accelerate their action plans. 

Key takeaways

• DORA affects a broad range of entities, including investment managers, banks, insurance companies, and ICT service providers. The aim is to minimise risks associated with ICT failures and cyber threats.
• In an era where digital services are the backbone of financial operations, the resilience of these systems is critical. DORA replaces existing EU ICT guidelines with more rigorous standards to ensure financial institutions and their ICT providers can withstand and recover from disruptions.
• Affected entities have until 17 January 2025 to achieve full compliance.

DORA: What it is, who it affects, and when it comes into force

WHAT: DORA began its life as a European Commission (EC) project and was adopted by the European Parliament on 10 November 2022. It is now a European Union regulation, handing the EU regulators wide-ranging powers over how financial institutions select and manage their providers of information and communications technology (ICT). It sets out the standard requirements any organisation operating in the financial sector needs to meet when it comes to network and data system security. 

It also imposes those same requirements on the critical third parties (CTPs) that provide information and communications technology services to those organisations.

That’s because, as the name suggests, DORA is focused on boosting the financial sector’s operational resilience in the face of its dependence on ICT. DORA replaces the EU’s existing ICT guidelines with much tougher requirements – part of a belated realisation by financial regulators around the world that the entire financial system is at risk should these services fail.

DORA will be overseen by the competent authorities in each Member State and by the European Supervisory Authorities (ESAs). The ESAs are:

• the European Banking Authority (EBA); 
• the European Insurance and Occupational Pensions Authority (EIOPA); and
• the European Securities and Markets Authority (ESMA). 

WHY: DORA is designed to strengthen the operational resilience and IT security of the 20 different kinds of financial entities that underpin the modern global marketplace – banks, pension and hedge funds, and so on. This strength is vital to ensuring that Europe can keep functioning even when severe operational disruption strikes. The regulation is a recognition of the fact that cross-border financial services are relied on by almost every other participant in the economy.

This version of DORA is therefore unlikely to be the last. The opportunities presented to the financial sector by rapid advances in AI and other forms of machine learning, cloud computing and greater interconnectivity are accompanied by high levels of risk. Furthermore, a reliance on a relatively small group of tech providers makes the sector vulnerable to third-party supply chain risk – specifically through cyber attacks or incidents.

This is especially true in times of war or stormy political weather. In recent decades, the financially motivated ‘hacker in a hoodie’ has been joined by nation-state backed threat actors, who are looking to inflict severe damage on countries perceived to be ‘unfriendly’ to their own. ICT incidents are now as much a feature of geopolitics as they are of cyber crime. Hence, DORA.

WHO: Because risk knows no borders, DORA does not apply just to EU Member States. It will also affect firms outside the European Union if they’re doing business there. Organisations that will fall under DORA’s remit include:

•     Investment managers
•     Banks
•     Credit and payment institutions
•     Cryptocurrency firms and others dealing in electronic money
•     Insurance companies
•     Almost all third-party ICT service providers (providers of straightforward phone services are exempted)

WHEN: Affected firms will have to demonstrate compliance with DORA by 17 January 2025. The clock is ticking, so here are five things you can make a start on now so you can be ready in time.

Five steps to DORA compliance

1. Develop a comprehensive ICT risk management framework 

No matter how good your existing ICT risk strategy is, there could be challenges in adapting it to DORA. The sooner those challenges can be addressed, the better. 

Develop a thorough understanding of the risk management framework that DORA sets out, and map your own against it. This will highlight any areas where your handling of your ICT third-party service providers needs to be improved, as well as where you are already meeting the compliance thresholds. Our free DORA Readiness Toolkit is an excellent way to do this.

It may also be wise to measure yourself against the US National Institute of Technology’s Cyber Security Framework (the NIST framework). Although its adoption is voluntary, the influence of the NIST framework on DORA is clear. 

Key steps at a glance

• Understanding DORA requirements: Familiarise yourself with the specific ICT risk management standards set by DORA.
• Gap analysis: Compare your existing framework against DORA’s requirements to identify areas needing improvement.
• Benchmarking: Consider using the NIST framework for additional guidance.

2. Nail down your own digital operational resilience strategy

Once the ICT framework is in place, it will be able to support your strategy. Decide how you will address your ICT risks and achieve your ICT aims.

Incorporate it into your wider business strategy, so that all third-party due diligence accounts for broader ICT risks posed by your partners and suppliers.   

Key steps at a glance

• ICT risk identification and mitigation: Ensure that all potential ICT risks are identified, assessed, and mitigated.
• Integration with business strategy: Align your resilience strategy with your broader business goals and objectives.
• Third-party due diligence: Include ICT risk assessments in your evaluations of third-party service providers.

3. Establish your incident reporting procedures in line with DORA requirements

We have been promised technical standards for the classifying and reporting of data and cybersecurity incidents. In the meantime, we know that DORA specifies an incident management process. This process means that financial organisations will have to classify their cyber incidents and provide detailed reports to “a competent authority,” which will provide feedback.

It may be tempting to view a standardised reporting process as bureaucratic paperwork, but on the plus side patterns will emerge that could generally improve all risk management strategies. Incident reporting is critical to promoting a transparent and proactive security culture at an organisational and national level. 

Key steps at a glance

• Classification of incidents: Develop a system for categorising cyber incidents based on severity and impact.
• Reporting mechanism: Create a standardised process for reporting incidents to the relevant, competent authorities.
• Feedback utilisation: Use feedback from authorities to enhance your overall incident response and management strategies.

4. Start adapting your testing to DORA standards

Compliance with DORA includes rigorous testing of your digital resilience. Once DORA takes effect, you will have to be able to test your digital operational resilience in a way that:

1.       meets its exacting requirements; and 
2.       is tailored to your organisation and covers a wide range of potential issues. 

Bear in mind that DORA requires all financial organisations, except micro-enterprises,* to undergo threat-based penetration testing by an independent expert. 

Key steps at a glance

• Regular testing: Conduct regular threat-based penetration tests to evaluate your defenses.
• Independent testing: Ensure that testing is performed by qualified external experts, as required by DORA.
• Comprehensive coverage: Design tests to cover a wide range of potential issues, tailored to your organisation’s specific risks.

*In the EU, that would mean a balance sheet below €2m and fewer than ten employees.

5. Review and enhance the way you manage your ICT service providers

The managing and handling of ICT service providers is arguably the area where DORA differs the most from the old ICT guidelines, while adding several requirements. 

The clearest evidence of the new approach is the way in which DORA aims to minimise dependence on critical ICT third parties:

• The data security standards that vendors have to meet are much higher than before.
• Financial institutions will have to provide a multivendor strategy, demonstrating that they have diversified to minimise their exposure to concentration risk. “Concentration risk” is how the banking industry describes the risk that arises when firms are too reliant on a single counterparty, sector or country. DORA therefore also demands that all vendors be subjected to pre-assessments of their concentration risks.
• Firms must be able to show that their third parties can easily be substituted, and that they have an exit strategy for each of them.

Key steps at a glance

• Vendor risk assessment: Evaluate the security standards and resilience of your ICT service providers.
• Diversification: Develop a multi-vendor strategy to mitigate concentration risks.
• Exit strategies: Establish clear exit plans for each provider to ensure seamless transitions if needed.

Additional considerations

Impact on global firms

Firms outside the EU must also pay attention to DORA if they operate within the EU. This extraterritorial impact means that global financial institutions need to ensure their operations are DORA-compliant to avoid penalties and ensure continued access to the EU market.

Future-proofing your strategy

The digital landscape is continuously evolving, and so too are the threats. Regular updates to your risk management and resilience strategies are essential. Staying informed about regulatory changes and advances in ICT security practices will help keep your organisation resilient.

Conclusion

Preparing for DORA compliance is a comprehensive task that requires immediate attention and ongoing effort. By developing a robust ICT risk management framework, formulating a resilience strategy, establishing incident reporting procedures, adapting testing methods, and enhancing ICT service provider management, your organization will be well-prepared for the January 2025 deadline. Engaging with experts and leveraging advanced cyber security solutions can further streamline your compliance journey.

Expert guidance from industry leaders

For tailored advice and solutions to help your organisation meet DORA’s requirements, contact our experts today. We offer industry-leading services in cybersecurity, risk management, and compliance designed specifically for the financial sector.