The Digital Operational Resilience Act (DORA) is a new European framework for effective and all-inclusive management of digital risks in Financial Markets.
The framework shifts the focus from only guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations through an incident of severe operational disruption deriving from cyber security and ICT issues.
By introducing a single consistent supervisory approach across the relevant sectors, DORA ensures convergence and harmonization of security and resilience practices across the EU.
DORA will enter into force on 16 January 2023. With an implementation period of two years, financial entities will be expected to be compliant with the regulation latest by early 2025.
Our expert for questions
Manager, Risk Assurance Services
Tel: +386 51 613 139
The Digital Operational Resilience Act (Regulation (EU) 2022/2554) solves an important problem in the EU financial regulation. Before DORA, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience and certain topics such as threat intelligence and threat-led penetration testing are of a new character and therefore require heightened attention. Further, the ability to develop an overarching visibility and understanding of all the key dependencies between your entity and your critical ICT service providers is another challenge we see.
Our recommendation for all entities in scope is therefore regardless of where you are in terms of the maturity of your digital and operational resilience, DORA should be a trigger for either starting or enhancing your resilience journey. An initial GAP analysis and maturity assessment is a great starting point.
Generally, entities that are applying the current regulatory requirements in line with current audit practices may be better positioned to implement the majority of the DORA requirements. Yet, having supported numerous clients with their cyber security and resilience efforts, our message is: do not be complacent. There is no such thing as “too resilient” or “too secure”. Remember, in the end, the more resilient you are than your competitors, the greater your competitive advantages.
We view DORA simultaneously as a challenge and opportunity for financial entities. The EU-wide uniform requirements of DORA mean that financial entities need to ensure they can manage a consistent maturity level of cyber security and operational resilience across all their EU operations.
With a two-year “getting ready” period, there is a lot that needs to be considered, implemented, and demonstrated. Starting right now, financial institutions will want to conduct comprehensive gap assessments to evaluate their respective maturity vis-à-vis DORA and timely identify any areas that require further investment and prioritization. This will put your business in a better position to address more complex requirements such as supply risk management, threat intelligence, and advanced security testing, giving you a competitive advantage on the market.
We see DORA as a significant change for entities within ESMA or EIOPA supervision, but also for banks which have already had to comply with existing EBA guidelines on banking supervision. DORA also extends its scope to include other stakeholders in the financial sector, which so far have not been subject to extensive ICT security regulation, e.g. crypto-asset service providers, intermediaries managers of alternative investment funds, crowdfunding service providers, cloud-service providers and ICT third-party service providers.
Given the strong focus on third party risk management, entities are expected to satisfy themselves of a third party’s resilience which will require close interaction and joint efforts with their critical ICT third-party service providers, especially where they support the delivery of an important business service.
Financial entities are required to set up a comprehensive ICT risk management framework, including:
Financial entities are required to:
The regulation requires all entities to:
Financial entities are required to: