The Digital Operational Resilience Act (DORA) is a new set of regulations introduced by the European Union, which will be fully in force from January 17, 2025. This new regulatory framework aims to strengthen the digital operational resilience of financial services companies, ensuring they can withstand, respond to, and recover from ICT-related disruptions and threats.
As financial services become increasingly reliant on technology, robust digital resilience is becoming more important by the day. DORA mandates comprehensive measures across ICT risk management, incident management, resilience testing, third-party risk management, and information sharing. Compliance with DORA is not just a regulatory requirement, but a commercial and strategic imperative for financial entities to safeguard their operations, protect client data, and maintain customer, supplier, and investor trust.
As the January 2025 deadline approaches, financial services businesses must take proactive steps to align with DORA’s requirements. This involves conducting thorough assessments, implementing necessary changes, and continuously testing and updating digital resilience measures. By doing so, financial services companies can ensure operational continuity, enhance their reputation, and gain a competitive edge in the market.
Key components of DORA
There are five key aspects of DORA, with attention to each being critical to both regulatory compliance and operational resilience.
ICT risk management framework
The ICT risk management aspect of DORA seeks to ensure that financial entities have a comprehensive approach to managing ICT risks. Compliance requires a robust approach to risk identification and management across the lifecycle:
- Risk identification: Financial services companies must identify all potential ICT risks, including cyber threats, system failures, and data breaches.
- Risk assessment: Risk assessments must be comprehensive and reviewed regularly to evaluate the likelihood and impact of identified risks in a changing business landscape.
- Risk mitigation: Once an organisation has established a risk tolerance level, identifying and implementing controls to mitigate identified risks demonstrates effective management. Such controls may be in terms of policy or process, as well as technical elements like firewalls, network segregation, encryption, and access controls.
- Monitoring and reporting: Having achieved a base level of risk identification and management, the continuous monitoring of ICT systems and regular reporting of risk management activities to senior management and regulatory bodies promotes trust.
Incident management
The incident management requirements of DORA are designed to ensure a timely and effective response to ICT-related incidents. Again, this is a multi-phased process:
- Incident classification: Financial services companies must start by establishing criteria for classifying incidents, based on their severity and impact.
- Incident response plan: Develop and maintain a detailed incident response plan that outlines the steps to be taken in the event of an ICT incident, enabling a consistent and comprehensive approach that assures minimal disruption.
- Incident reporting: Some incidents, such as material loss of personally identifiable information (PII) require mandatory reporting to relevant authorities within specified timeframes.
- Post-incident review: Lessons learned exercises, conducting thorough reviews after incidents to identify root causes and implement corrective actions, enable continuous improvement.
Digital operational resilience testing
DORA requires regular testing of systems to validate the effectiveness of ICT risk management and resilience measures.
- Regular testing: Conduct regular tests, including vulnerability assessments and penetration testing, to enable the identification and remediation of weaknesses in ICT systems.
- Threat-led penetration testing (TLPT): As cyber threats become more sophisticated, engaging in advanced testing scenarios that simulate real-world cyber-attacks is beneficial to evaluate the resilience of ICT systems against realistic threats.
- Remediation: Address any vulnerabilities or weaknesses identified during testing to enhance overall resilience.
ICT third-party risk management
DORA requires that financial services organisations extend their risk management protocols to manage the risks associated with third-party ICT service providers. Supplier risk management should occur from onboarding, throughout the relationship, and on to exit.
- Due diligence: Conduct thorough due diligence on third-party providers to assess the risk they represent to your business, as well as their risk management capabilities.
- Contractual agreements: Ensure contracts with third-party providers include specific clauses related to ICT risk management and resilience.
- Ongoing monitoring: Regularly monitor the performance and risk management practices of third-party providers and ensure the risks you hold related to suppliers remain up to date.
- Exit strategies: Develop exit strategies to ensure continuity of operations in case of termination of third-party services.
Information sharing
DORA promotes resilience through information sharing. This takes several forms:
- Threat intelligence: Sharing information on cyber threats, vulnerabilities, and incidents with other financial entities and relevant authorities promotes a culture of openness, enabling continuous improvement.
- Collaboration: Participate in forums and working groups to share best practices and collaborate on improving digital resilience, building information security experience throughout the industry.
- Confidentiality: Ensure that shared information is handled confidentially and used solely for enhancing resilience.
Importance of DORA compliance
DORA compliance is importance for several reasons:
- Regulatory requirements: Compliance with DORA is mandatory for financial entities operating within the EU. Non-compliance can result in significant penalties and reputational damage.
- Operational continuity: By adhering to DORA’s requirements, financial entities can ensure they are better prepared to handle ICT disruptions, thereby maintaining continuous operations and protecting their clients.
- Customer trust: Demonstrating compliance with DORA can enhance client trust and confidence in the firm’s ability to safeguard their data and assets, it is also a pre-requisite to doing business with other financial services organisations.
- Supplier trust: Compliance with DORA builds trust with suppliers, who can have confidence in the firm’s ability to protect their data and assets.
- Investor trust: DORA compliance for financial companies means running an organisation that is committed to comprehensive risk management, robust technology platforms, and secure supplier relationships. Such companies build trustworthy reputations, attractive to investors.
- Market competitiveness: Firms that proactively comply with DORA gain a competitive advantage by being seen as more reliable and secure partners in the financial ecosystem.
Demonstrating DORA Compliance
Demonstrating DORA compliance requires a systematic approach to bridge the gap between the risk position of a financial services company today, and the robust operational resilience built with a comprehensive risk management strategy going forward. With DORA soon to come into force, time is of the essence.
Conduct a gap analysis: Start by assessing your current ICT risk management and resilience capabilities against DORA’s requirements and identify gaps.
Develop a compliance plan: Create a detailed plan to address identified gaps, including timelines, responsibilities, and resources needed.
Implement changes: Make necessary organisational, technical, and contractual changes to meet DORA’s requirements.
Regular testing and updates: Ensure regular testing of your digital resilience measures and update them as needed.
Engage with third-party providers: Work closely with your ICT third-party providers to ensure they also comply with DORA standards, and consider external support from expert information security, governance, and risk management companies.
Stay informed: With DORA regulations being new, it is important to maintain an awareness of any updates or changes to DORA and adjust your compliance strategies accordingly.
Engaging DORA experts
With only months to go before DORA comes in to force for financial services companies, the amount of work to be done may appear daunting. Working through the process outline above can potentially be time consuming, particularly for those less experienced in information security and risk management.
Engaging experts in risk management such as YourDigitalCTO, can take any anxiety around DORA away. We can provide advice and guidance, help with gap analysis and compliance planning, provide risk management advice, implement suitable controls as required, and test to ensure those controls are working as intended. We use principles supported by Cyber Essentials, Cyber Assurance, and ISO 27001, to help create robust information security principles and practices that support resilient systems and services.
YourDigitalCTO can help your organisation build compliant technology systems and services, as well as provide platforms to evidence that compliance to build trust in all your professional relationships.
Contact us today for a no-obligation conversation on DORA, and what it means for you.