What is DORA?
The Digital Operational Resilience Act (DORA) is a new European framework for effective and all-inclusive management of digital risks in financial markets.
- The framework shifts the focus from only guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations even through an incident of severe operational disruption deriving from cybersecurity and ICT issues.
- By introducing a single, consistent, supervisory approach across the relevant sectors, DORA ensures convergence and harmonization of security and resilience practices across the EU.
- DORA introduces an end-to-end holistic framework for effective risk management of third-party ICT and cybersecurity operational capabilities, ensuring consistent provision of services across the entire value chain.
- It will introduce specific and prescriptive requirements for all financial market participants, including banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers, among others.
- DORA is unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).
DORA requirements
- ICT Risk Management
- ICT-related Incident Reporting
- Digital Operational Resilience Testing
- Third-party ICT Risk Management
- Information sharing
ICT Risk Management
Financial entities are required to set up a comprehensive ICT risk management framework, including:
- Setting up and maintaining resilient ICT systems and tools that minimize the impact of ICT risks
- Identifying, classifying and documenting critical functions and assets
- Continuously monitoring all sources of ICT risks in order to set up protection and prevention measures
- Establishing prompt detection of anomalous activities
- Putting in place dedicated and comprehensive business continuity policies and disaster and recovery plans, including yearly testing of the plans covering all supporting functions
- Establishing mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents
ICT-related Incident Reporting
Financial entities are obliged to:
- Develop an effective process for recording/classifying all ICT incidents and identifying serious incidents according to the criteria detailed in the regulation and further specified by the European Supervisory Authorities (EBA, EIOPA and ESMA)
- Submit an initial, interim and final report on ICT-related incidents
- Harmonize the reporting of ICT-related incidents through standard templates developed by the ESA
Digital Operational Resilience Testing
The regulation requires all entities to:
- Annually perform basic ICT testing of ICT tools and systems
- Identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps in the implementation of counteractive measures
- Periodically perform advanced Threat-Led Penetration Testing (TLPT) for ICT services which impact critical functions. Third-party ICT service providers are required to participate and fully cooperate in the testing activities.
Third-party ICT Risk Management
Financial entities are required to:
- Ensure sound monitoring of risks emanating from reliance on third-party ICT providers
- Report their complete register of outsourced activities, including intra-group services and any changes in the third-party ICT service providers for the outsourcing of critical services
- Take account of IT concentration risks and risks arising from sub-outsourcing activities
- Harmonize key elements of services and relationships with third-party ICT providers to enable ‘complete’ monitoring
- Ensure that contracts with third-party ICT providers contain all the necessary monitoring and accessibility details, such as full-service-level descriptions, indications of locations where data is processed, etc.
Furthermore, critical third-party ICT service providers will be subject to a Union Oversight Framework which can issue recommendations on the mitigation of identified ICT risks. Financial entities must consider the third-party ICT risks of service providers who do not follow the defined recommendations.
Information sharing
- The regulation allows financial entities to set up arrangements amongst themselves to exchange cyber threat information and intelligence.
- The supervisory authority will provide relevant, anonymized information and intelligence on cyber threats to financial entities. Entities should therefore implement mechanisms to review and take action based on the information shared by the authorities.
DORA timeline
DORA entered into force on 16 January 2023. With an implementation period of two years, financial entities will be expected to be compliant with the regulation by 17 January 2025 at the latest.
On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP).
Following the publications of the European Parliament and Council’s proposals for DORA, the co-legislators held political and technical trilogues throughout H1 2022. The European Council adopted DORA on 28 November 2022 after the European Parliament voted in favor of the act on 10 November of the same year.
DORA entered into force on 16 January 2023. We expect the first regulatory and implementing technical standards (RTS and ITS) to be developed by the European Supervisory Authorities (ESAs).
Multiple regulatory and implementing technical standards are defined and issued by the ESAs. They provide entities with specifications and guidance on how to implement specific DORA requirements.
DORA requirements are enforceable 24 months after entering into force. Therefore, financial entities will be expected to be compliant with DORA by 17 January 2025.
DORA in practice: what to expect
We view DORA as both a challenge and an opportunity for financial entities. DORA’s EU-wide, uniform requirements mean that financial entities need to ensure they can manage their cybersecurity and operational resilience at a consistent level of maturity across all their EU operations. With a two-year “get-ready” period, there is a lot that needs to be considered, implemented, and demonstrated.
Starting immediately, financial institutions should conduct comprehensive gap assessments to evaluate their respective maturity vis-à-vis DORA and promptly identify any areas that require further investment and prioritization. This will put your business in a better position to address more complex requirements like third-party risk management, threat intelligence, and advanced security testing, providing you with a competitive advantage on the market.
We see DORA as a significant change not only for entities within ESMA or EIOPA supervision, but also for banks, which have already had to comply with existing EBA guidelines on banking supervision.
DORA also extends its scope to include other stakeholders in the financial sector who have so far not been subject to extensive ICT security regulation, such as crypto-asset service providers, intermediary managers of alternative investment funds, crowdfunding service providers, cloud-service providers and third-party ICT service providers.
Given the strong focus on third-party risk management, entities are expected to ensure third-party resilience, which will require close interaction and joint efforts with their critical third-party ICT service providers, especially where they support the delivery of an important business service.
DORA in the Czech Republic
Given DORA’s broad scope, it is likely that it addresses some topics that have already been covered by existing regulations in the Czech Republic.
Nevertheless, certain topics such as threat intelligence and threat-led penetration testing are novel, and so they require heightened attention. Furthermore, the ability to develop an overarching visibility and understanding of all the key dependencies between your entity and your critical ICT service providers is another challenge we discern.
Our recommendation for all affected entities is, regardless of where you are in terms of the maturity of your digital and operational resilience, that DORA should be a trigger for either starting or enhancing your resilience journey. An initial gap analysis and maturity assessment is a great starting point.
Generally speaking, entities that apply the current regulatory requirements in line with current audit practices may be better positioned to implement the majority of the DORA requirements. That being said, having supported numerous clients with their cybersecurity and resilience efforts, our message is: don’t be complacent. There is no such thing as “too resilient” or “too secure”. Remember, in the end, the more resilient you are than your competitors, the greater your competitive advantage becomes.
