The Digital Operational Resilience Act better known as DORA was first drafted by the European Commission on the 24th of September 2020 as part of the Digital Finance Package. In July 2022 a provisional agreement was reached at European Union level, and DORA is expected to come into force in Q1 2023 to be fully applicable by Q1 2025 after a two-year implementation period.
Why the need for DORA?
As the financial industry progressed and increased its reliance on ICT and information in digital form, the risk stemming from these technological solutions and other cyber related risks increased exponentially. The European Commission realised that there was an absence of detailed and comprehensive rules on digital operational resilience at an EU level, hence DORA came to be. DORA's aim is to consolidate and upgrade ICT risk requirements across member states using one common set of standards that will help reduce administrative obligations for financial entities and strengthen supervisory effectiveness.
What does this mean for the financial industry?
Companies will be required to have a framework in place that is able to withstand, respond and recover from all types of ICT-related disruptions and threats. The new requirements may be split into seven steps:
a) Scope of the Regulation and proportionality application of required measures (Article 2)
Since DORA covers a vast array of financial entities, it will facilitate a homogenous and coherent application of risk management on ICT-related areas. It will also safeguard a level playing field across the different entities in respect of their regulatory obligations on ICT risk. The DORA rules will be applicable to all financial entities though the principle of proportionality will apply. Applicability will depend on the size and activity of the entity which also relates to the overall risk it is subject to.
b) Governance related requirements (Article 4)
Responsibility for the implementation of the DORA rules lies with the management body of the entity. The management body's responsibility will be all-encompassing including the assignment of clear roles and responsibilities for all ICT-related functions as well as allocating the proper ICT investments and training.
c) ICT risk management requirements (Articles 5 to 14)
Systems and tools should help identify the sources of ICT risk on a continuous basis. Identification of these risk factors will lead to the development and implementation of appropriate safeguards. Regardless of the controls in place, some ICT issues, such as any other risks are still bound to materialise, making timely and proper detection, essential. Once detected, the correct response plans need to be in place to make sure recovery is quick with minimal impact. Should a risk incident take place, it is of utmost importance that the entity learns, evolves and communicates to help identify the cause of the incident and the effectiveness of the processes in place.
d) ICT-related incident reporting (Articles 15 to 20)
DORA aims to harmonise the ICT-related incident reporting regime by requiring all financial entities to report to their competent authorities through a single streamlined framework. Through this centralisation reporting system catered for major ICT-related incidents, the regulation aims to ease the flow of ICT-related incident reporting, decrease associated costs and improve supervisory convergence.
e) Digital operational resilience testing (Articles 21 to 24)
Through DORA, testing results will be homogenous across the different entities and countries. The DORA proposal strongly recommends that every three years, advanced testing of ICT tools, systems and processes based on threat led penetration testing ("TLPT"), is carried out. The results of all financial entities should then be communicated to the competent authorities who will review, validate and issue an attestation.
f) ICT third-party risk (Articles 25 to 39)
DORA aims to highlight a set of principle-based guidelines to assist financial entities for outsourced ICT risk. Guidance on outsourcing to cloud service providers (ESMA/50/164/4285) already exist however DORA aims to tackle the counteracting systemic risk that most companies face, due to a limited number of critical ICT third-party service providers.
g) Information sharing (Article 40)
Sharing of information must be done within trusted communities of financial entities and done through information sharing agreements that protect all parties involved due to the potential sensitive information that is to be shared.
The above points are just a short summary of what DORA, which is part of an EU-wide "Digital Finance Package", will entail. The aim of the regulation is to assist financial entities to take advantage of the opportunities brought by innovation and technology whilst mitigating the associated new risks. The introduction of this regulation is a move in the right direction for the ever-evolving ICT world we currently live in.
DORA will require the ICT team and the Risk Management Function to work hand in hand for proper implementation. The team at RMC Wise are happy to assist with any queries relating to the Risk function to help you prepare for the implementation of DORA.
The team at RMC Wise are happy to assist with any queries to help you prepare for the implementation of DORA. You can contact us on info@rmcwise.com and someone from our team will get in touch with you to discuss things further.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.