The Digital Operational Resilience Act (DORA) was introduced as part of the Digital Finance Package (DFP) in 2020. The European Commission introduced the DFP to tighten regulatory measures for the financial services sector. The importance of DORA compliance for financial services institutions is acute, as the reliance on ICT, information and data stored digitally is essential for the functioning of financial institutions, in both on-site and remote work settings. DORA spans a varying degree of crucial functions, from operational resilience to cybersecurity and mitigating the impact of digital threats.
As digital dependency has increased across the sector, the risks associated with technological and cyber threats now call for a heightened emphasis on digital resilience. DORA regulations recognise the core need for operational resilience to stymie the potential vulnerabilities the financial sector is susceptible to.
In this article, we’ll explore the different pillars of DORA compliance, offering our insight and expertise to ensure your financial services business is well-equipped for the transition to DORA regulations upon their final implementation.
Timeline of DORA Regulations
As with any new large-scale piece of legislation, a gradual rollout and implementation phase was determined from the initial published draft.
DORA was formally approved on 10 November 2022 and published in the Official Journal on 27 December 2022. DORA will be in force as of 17 January 2025. Consequenty, financial entities should be compliant by the beginning of 2025.
What sectors and financial institutions are covered by DORA?
DORA will apply to a wide range of financial entities and institutions that span various sectors. This will include:
- Cryptoasset service providers
- Investment firms
- Central security depositories
- Trading venues
- Credit, payment and e-money institutions
- Data reporting service providers
- Insurance undertaking firms
- Credit rating agencies
Although DORA will broadly be applied throughout the industry, DORA groups financial institutions into 3 categories, with each category having different applications of the rules:
Basic Financial Entity: These entities are in full scope of DORA.
Microenterprise Financial Entity: Entities categorised under this will have certain exemptions from DORA.
Article 16 Financial Entity: Entities such as MiFID investment firms, occupational pension providers, and e-money institutions will also receive certain exemptions from DORA requirements, subject to certain conditions being met.
DORA compliance: Key Requirements and Obligations
DORA was introduced to ensure the security of networks and information systems used by businesses and organisations in the financial sector. This includes vital third parties who offer services related to information and communication technologies (ICT), such as cloud platforms or data analytics services.
Prior to the introduction of DORA, operational risk was regulated broadly through prudential capital requirements, rules on outsourcing arrangements, and guidelines on ICT and security risk management. More specifically, cyber and information security-related risks were addressed through penetration testing regimes, such as TIBER-EU, and voluntary standards and frameworks, such as ISO 27001 and NIST CSF.
DORA establishes a harmonised regulatory framework incorporating elements of pre-existing mandatory and voluntary regimes whilst expanding to include incident classification reporting, digital operational resilience strategy and testing, and greater detail on the ICT risk management process and policy requirements.
Who does DORA apply to?
DORA applies to 20 different types of regulated financial institutions including central counterparties, trading venues and investment managers.
DORA also applies to third parties who provide digital and data services to these institutions. Third parties will need to anticipate an influx of information requests from their customers as they pursue compliance by 2025. Third-party service providers may also be at risk of being designated “critical”, becoming subject to a regulatory oversight regime laden with the possibility of fines, investigations and other regulatory interventions.
At present, the rollout of DORA is a gradual implementation, however, all financial entities will be expected to have the relevant framework in place to achieve DORA compliance by the 17th January 2025. This will apply to every member state and the in-scope entities that fall into that.
Entities in-scope of DORA are required to adhere to a series of requirements and obligations as part of the DORA framework.
The five core pillars of the digital resiliency framework for financial entities include:
- Governance and ICT Risk Management
- Incident Classification and Reporting
- Digital Resilience Testing and Threat-Led Penetration Testing
- Third-Party ICT Provider Risk Management
- Threat Information Sharing Arrangements
Governance
Management bodies of financial institutions will be held responsible for implementing governance requirements such as:
- Oversight – bearing ultimate responsibility for the financial entity’s ICT risk
- Data Standards – Establishing policies to ensure high standards of data availability, authenticity, integrity, and confidentiality are met.
- Digital Operational Resilience Strategy – To include determining the risk tolerance levels for the financial entity, establishing your firm’s DOR objectives, evidencing the current DOR situation, explaining the current ICT architecture and whether any alignment needs to be made to meet business strategy and objectives.
- Business Continuity and Response Plan – Overseeing and reviewing the ICT business continuity and response plans.
- Efficient Reporting Channels – Reporting on any changes to arrangements with ICT third-party service providers, relevant changes to these arrangements, potential impacts on critical functions, and major ICT-related incidents.
- Roles and Responsibilities – Ensuring that key roles and responsibilities in relation to the management of ICT risk are established, particularly in relation to third-party ICT services providers.
- Training and Awareness: Keeping up to date with sufficient skills and knowledge to effectively understand and manage ICT risk.
ICT Risk Management
Establishing a risk management framework is integral for reviewing policies, strategies, procedures and the tools used to protect information and ICT assets. This should include:
- Reliability of ICT systems in being able to handle data processing needs and remaining resilient to technological threats
- Documentation of all supported ICT roles and functions, identifying and updating any relevant processes, risk assessments and inventories
- Financial entities must continuously monitor and control ICT systems to minimise risk
- Ensuring adequate detection of risks and threats through the medium of automatic alerts, sufficient monitoring controls and systems to check trade reports
- Financial entities must have ICT business continuity policies and response plans, to ensure the continuity of critical functions and efficient response to incident
- Development of efficient backup policies, procedures, restoration and recovery policies
- Collate data and intelligence on any vulnerabilities, cyber threats and ICT incidents
- A crisis communication plan to disclose any such instances of threats that stakeholders should be made aware of
- Regulatory Technical Standards (RTS) that specify elements of ICT security Policies
- ICT and Information Asset Management Policy
- Encryption and Cryptographic Controls Policy
- Documented Capacity and Performance Procedures
Incident Classification and Reporting
DORA will establish a harmonised framework for the classification and reporting of major ICT-related incidents and significant cyber threats. Financial institutions will be required to monitor and classify all ICT-related incidents and cyber threats that occur in and affect their organisations.
Financial entities will need to assess each incident and cyber threat against a set of quantitative and qualitative criteria to determine whether they meet the appropriate thresholds to be considered major or significant. Failure to have the appropriate classification data available in time may result in incorrect classifications of incidents and threats resulting in under and over-reporting.
In addition to reporting to the regulator, where an incident or threat is set to harm the financial interests of clients, a financial entity must inform its clients of the incident and the steps being taken to mitigate harm.
It is important to note that requirements will continue to exist in parallel to existing ICT-related reporting requirements, such as under the GDPR. Organisations will need to ensure that they will have the appropriate resources and knowledge to be able to handle this additional reporting requirement and follow up communications with the regulator.
Digital operational resilience testing explained
DORA requires financial entities to develop a robust programme to test digital operational resilience throughout their business.
Testing is key to understanding the level of impact that financial entities are exposed to and can tolerate. Unless your business is classified as a microenterprise, you will be mandated to establish a digital operational resilience program to assess how prepared your institution is in the face of threats and cyber vulnerability. Within the framework of your testing, you should deploy assessments and tests that align with the pre-determined risk considerations you have outlined.
Testing under DORA will require firms to establish, monitor and document the process and findings of various testing including, but not limited to, vulnerability assessments, network security assessments and physical security assessments.
Penetration Testing
Additionally, financial entities, subject to exemptions, must perform triennial threat-led penetration testing which will need to be performed on live systems that support the organisation’s most critical business functions. Firms unfamiliar with this process should begin preparing now in order to adequately involve third parties where necessary and ensure the safety of data during the process.
Testing is critical for identifying gaps within your operational resilience framework, so you can redress the balance, avoiding potentially damaging consequences and meet DORA compliance requirements. Conduct tests independently to negate any potential conflicts of interest and to prioritise and rectify issues identified. Yearly tests on ICT systems are required as part of the framework.
Consequences of non-compliance for your firm
This will be determined by the local regulator’s assessment of the non-compliance. Largely, consequences are in the form of fines, which have been touted as 1-2% of global revenues for your business. For example, the Central Bank of Ireland has laid out a boundary in line with GDPR fines, which accumulate to 2% of annual worldwide turnover.
Learning and development will play a key role in demonstrating sound compliance to the regulator. It is essential that, when incidents occur, firms are able to demonstrate that the DORA requirements have been met and that any negative findings and issues are remediated and incorporated into the overall risk framework and strategy. We understand that processes and systems can go wrong sometimes. Where this happens, being able to show the regulator full compliance with DORA requirements will reduce the risk of hefty fines and reputational risk.
Assessing the impact of non-adherence to DORA
As the DORA regulation is still in development, we cannot accurately determine any real-world examples yet of non-compliance, but, that doesn’t mean large firms and banks go unpunished for falling foul of existing operational resilience guidelines. In December 2022, a Tier 1 bank was found to have breached the UK Prudential Regulation Authority operational risk management guidelines and governance failures. The bank was fined a total of £48,650,000 for operational resilience failings.
The fine was handed to the bank as a result of technical failures following a large-scale data migration that caused significant disruption to the continuity of all banking services. The end result? The bank has had to pay £32.7m in redress to affected customers. The Chief Information Officer was also fined £81,620 for failing to ensure reasonable adjustments were made to navigate the migration safely.
The consequences of failure to adhere to DORA could be similar to this. We understand that from time to time, processes and systems can go wrong. Every financial services business will experience difficulties, the crucial aspect is to be vigilant and well-prepared for any event. Showcasing your contingency measures are adept in identifying and fixing issues quickly will limit the damage to your business and demonstrate an aptitude to regulators that you can solve any problems efficiently.
How your financial services business can prepare for DORA
DORA is a complex and prescriptive new regulation that will require significant change for many Financial Services firms. Understanding how ready your organisation is to meet these requirements and the magnitude of change required to close the gap from work completed by other cybersecurity and risk / operational resilience initiatives, will often require insight and direction from industry subject matter experts. Novatus can support you in all DORA assessment & preparation activities and establish a DORA implementation program that covers all bases to meet regulatory standards.
We’ll start by helping you to assess the full scope of the work that needs to be carried out. Depending on the type of business, we’ll develop a five-step model for our clients which includes:
- Entity Scoping Classification Model – Using our DORA Classification Model to categorise financial entities and critical third-party ICT service providers. The subsequent phases are then completed for in-scope entities.
- Entity Criticality Assessment – From this classification, we apply our proprietary classification framework to assess the most critical entities, which allows larger organisations to determine which of your entities are in scope, and why, with a scoring of criticality to help direct further assessment and prioritisation.
- Gap Analysis – We will then leverage our DORA Gap Analysis solution to quickly identify gaps in entity frameworks between key DORA requirements and each in-scope entity’s existing ICT, information security and cybersecurity frameworks. This will provide actionable MI to ascertain the level of change required within each entity.
- Prioritisation of entities – Using the information gathered from our criticality assessment and gap analysis, we can then understand the entities that need to be prioritised.
By following the first four steps, we help our clients develop a clear picture of the size and scale of change required to meet DORA requirements by each entity. We also work with clients through these initial stages to help determine whether the DORA requirements should be adopted at a Group level or for entities outside of the EU that are not in scope. This is an important strategic decision that many firms wish to take to further safeguard group entities from cybersecurity threats or future proof against local regulatory demands.
Once the scope of work is known, we work with clients on the 5th step:
Setup of a DORA implementation programme – We will work with you to define the scope and roadmap of a DORA implementation programme and establish the governance, project artefacts and plans to ensure a seamless transition from your initial assessment work through to the delivery of required change to become DORA compliant.
Start your journey towards DORA compliance
We’re ready to help you, whatever stage you are at, from initial categorisation through to implementation.
Our team can help you get a comprehensive understanding of your digital infrastructure, integrate DORA requirements with existing regulatory frameworks, strengthen vendor and third-party risk management, and establish effective testing and exercise protocols.
Contact us today to find out how we can help prepare your business ahead of your DORA implementation.
We’ve also developed a handy guide to operational resilience that you can download for further detailed insight on strengthening resilience throughout your business. Novatus are a leading global advisory and technology business – we also offer authorisation services, compliance solutions and data solutions.