The Digital Operational Resilience Act (DORA) is an EU regulation that was enacted on 16 January 2023 and will apply as of 17 January 2025. This act aims at strengthening the Information and Communication Technology (ICT) security with financial entities. DORA harmonises the rules on digital operational resilience for the financial sector, applying to 21 different types of financial entities, of which 12 are in the remit of the ESMA. These entities include Account Information Service Providers, Data Reporting Service Providers and Managers of Alternative Investment Funds.
The Timeline
- By 16 January 2023, the Digital Operational Resilience Act (DORA) will enter force.
- 29 September 2023, ESA’s will provide technical advice on the criticality criteria and oversight fees.
- The first batch of the policy mandates (final report) will take effect on 17 January 2024.
- The feasibility report on the EU Hub and DORA will be a requirement by 17 January 2025.
The Impact of DORA on Financial Services
The financial sector is increasingly dependent on ICT tools and systems to deliver its financial services, for which they increasingly rely on ICT service providers. This may expose financial entities to potential ICT (third-party) risk because the delivery of their financial services relies on entities who are not directly supervised nor subject to the same regulatory frameworks (i.e. when the ICT service providers are not financial entities themselves).
When not managed properly, ICT risks can lead to disruptions in financial service delivery. This can impact other financial entities, sectors and even the rest of the economy, which underlines the importance of digital operational resilience to the financial sector.
Key Provisions and Requirements of DORA
DORA requirements are broken down across five pillars. However, these mandated legal requirements do not follow a specific implementation order, unlike the UK’s detailed operational resilience framework. EU firms can choose their starting point for resilience development, but this doesn’t imply independence among DORA’s five pillars. For instance, defining critical functions and mapping ICT systems are essential initial steps, that influence other requirements.
Risk Management
Pillar I of DORA is foundational, impacting incident classification and ICT third-party contract evaluations. Sequencing should consider the progress of technical standards, allowing firms to align their plans with available resources while acknowledging inter-pillar dependencies.
Firms must prioritise wisely, tackling time-intensive tasks early, especially in third-party risk management. Compliance levels vary across firms, influencing resource allocation and prioritisation, with a clear distinction between immediate and January 2025 requirements.
Developing a holistic approach to DORA’s level 1 and 2 requirements is crucial, as secondary legislation doesn’t cover all duties. Firms should integrate existing capabilities to avoid duplication, promote synergy in implementing the DORA framework and ensure efficient internal coordination across all related functions.
Pillar I focuses on ICT risk management, laying the foundation for all other pillars, requiring FS firms to establish comprehensive policies, procedures, and controls. Key actions include conducting gap assessments, creating activity roadmaps, and aligning with standards like NIST and ISO 27001:2022.
Incident Reporting
Pillar II deals with incident management and reporting, likely less challenging initially but necessitating new tools, staffing, and processes. Firms should establish incident identification and management processes, and create structured communication plans.
Digital Operational Resilience Testing
Pillar III, resilience testing, applies broadly, with an emphasis on threat-led penetration testing. Actions include analysing TLPT designation criteria and preparing for advanced testing, particularly for firms already familiar with penetration testing practices.
Information and Intelligence Sharing
Pillar IV, third-party risk management, presents significant compliance challenges, extending beyond traditional outsourcing reviews. Actions include mapping ICT third-party services, conducting contract gap analyses, and negotiating amendments to meet DORA requirements.
Third-Party Risk Management
Pillar V addresses oversight of critical third-party providers, with new supervisory powers kicking in post-2025. FS firms should engage with potential critical providers early, while potential providers should understand FS services usage and align with international standards.
Conclusion
The brief implementation period and ambiguity in secondary legislation make 2024 crucial for DORA compliance. Firms can alleviate this pressure by proactively addressing the requirements, strategically engaging with secondary standards, and seeking clarity through dialogue with regulators and industry peers. Efficiently managing compliance efforts is essential for meeting the January 2025 deadline in a resource-constrained environment.
Speak to a GRC consultant to better understand the Digital Operational Resilience Act (DORA) and get compliance ready.
