As cyber incidents continue to be an issue for financial services firms, cybersecurity and IT management are more important than ever. The European Union (EU) has taken action by introducing a risk management framework for the financial sector.
DORA came into effect on 16 January 2023 and will apply to a wide range of financial institutions starting from 17 January 2025.
Exploring Digital Operational Resilience Act (DORA)
- What is the Digital Operational Resilience Act (DORA)?
- Who does DORA apply to?
- Why was DORA created?
- What are DORA requirements?
- What does DORA mean for UK firms?
What is the Digital Operational Resilience Act?
The Digital Operational Resilience Act (DORA) is an EU regulation establishing a mandatory ICT risk management framework for the financial sector. DORA establishes a unified framework for "financial entities" to manage risks related to IT, data, and digital operations.
It sets technical standards for these financial entities and their critical third-party technology service providers to enhance the resilience of networks and information systems against digital risks. This directive aims to strengthen digital resilience across the EU's financial sector.
Similar to the new rules introduced by the U.S. Securities and Exchange Commission (SEC), DORA assigns ultimate responsibility to boards of directors for the effectiveness of their firms' technical cybersecurity strategies. This makes cybersecurity a crucial aspect of business governance.
Who does DORA apply to?
DORA's technical standards must be implemented by 17 January 2025. This applies to the EU financial sector, where financial entities and their third-party technology providers must implement in their ICT systems.
Financial institutions in the UK encompass traditional entities like banks, investment firms, and credit institutions, as well as non-traditional ones such as crypto-asset service providers and crowdfunding platforms.
In addition to the abovementioned institutions, those affected by DORA include:
- Central securities depositories
- Central counterparties
- Account information service providers
- Payment institutions and electronic money institutions
- Trading venues and trade repositories
- Administrators of critical benchmarks
- Credit rating agencies
- Data reporting service providers
- Institutions for occupational retirement provision
- Insurance and reinsurance undertakings
- Managers of alternative investment funds (AIFMs) and management companies
- Securitisation repositories
It also extends to entities usually excluded from financial regulations, including third-party service providers supplying ICT systems and services, such as cloud service providers and data centres. Additionally, firms offering critical third-party information services, like credit rating services and data analytics providers, must comply with DORA requirements.
Why was DORA created?
DORA was created to address ICT risk management in the EU financial sector and harmonise the varying regulations across member states. Before DORA, EU financial regulations relied on capital to cover operational risks, with inconsistent guidelines on ICT and security risk management that varied by country.
This patchwork of regulations was challenging for financial entities to navigate. DORA aims to establish a universal framework, eliminating regulatory gaps, overlaps, and conflicts and ensuring all financial institutions adhere to the same standards, thereby enhancing the overall resilience of the EU financial system.
What are DORA requirements?
DORA sets technical requirements for financial entities and ICT providers in a few key areas:
ICT risk management and governance
All financial entities must identify and assess their ICT risk landscape and establish a comprehensive ICT risk management framework. This framework should govern and direct all ICT risk management activities.
Except for microenterprises, financial entities must ensure adequate separation and autonomy among their ICT risk management, control, and internal audit functions, following either the three lines of defence model or an internal risk management and control model.
Incident management, response, classification and reporting
Financial entities must establish a process for managing ICT-related incidents, including the capability to monitor, manage, and track these incidents. Significant incidents must be reported to the relevant competent authority.
Incident classification should follow regulatory criteria, considering the geographical impact, the criticality of affected services, and the incident's duration.
Digital operational resilience testing
Entities must regularly test their ICT systems to evaluate protections and identify vulnerabilities, reporting results and remediation plans to the relevant authorities. Annual tests, such as vulnerability assessments and scenario-based testing, are required.
Additionally, entities deemed critical to the financial system must undergo threat-led penetration testing (TLPT) every three years, with their critical ICT providers participating. Specific standards for TLPT are forthcoming, likely aligning with the TIBER-EU framework for threat intelligence-based ethical red-teaming.
Third-party risk management
A unique aspect of DORA is its applicability to both financial entities and their ICT providers. Financial firms must actively manage ICT third-party risks, ensuring that outsourcing contracts for critical functions include specific provisions for exit strategies, audits, and performance targets for accessibility, integrity, and security.
Contracts with ICT providers that fail to meet these requirements are prohibited, and competent authorities can suspend or terminate non-compliant contracts. Financial institutions must also map their third-party ICT dependencies, ensuring that critical functions are not overly reliant on a single provider or small group of providers.
Relevant European Supervisory Authorities (ESAs) will directly oversee critical ICT third-party service providers, with criteria for determining critical providers still under development. Lead overseers will enforce DORA requirements on these providers and can prevent them from entering into non-compliant contracts with financial firms or other ICT providers.
ICT third-party providers' oversight framework
DORA grants extensive supervisory powers to ESAs over Critical ICT Third-Party Providers (CTPPs), enabling them to assess, request changes in security practices, and impose sanctions. Safeguards ensure that suspending or terminating contracts with CTPPs is an exceptional measure, considering sector-wide implications.
The Joint Oversight Forum (JOF) will play a key role in setting resilience standards for CTPPs, enhancing the oversight structure. Additionally, DORA's implementation includes developing draft regulatory technical standards (RTS) and implementing technical standards (ITS) to provide detailed guidelines for financial entities.
Information sharing arrangements
While information sharing is encouraged, it is not mandatory.
Financial institutions are urged to share cyber threat information and intelligence with each other, provided this exchange occurs within trusted communities, enhances the digital operational resilience of the entities involved, and complies with relevant legislation.
The enforcement of these requirements will be proportionate, with smaller entities facing less stringent standards than larger financial institutions. Although the specific Regulatory Technical Standards (RTSs) and Implementing Technical Standards (ITSs) are still being developed, the current DORA legislation provides a general outline of the expected requirements.
What does DORA mean for UK firms?
For UK firms, DORA signifies a significant development in regulatory oversight, although it does not directly apply in the UK. While UK regulatory authorities already have requirements for regulated firms regarding outsourcing and operational resilience, the introduction of DORA introduces additional considerations, particularly for firms operating within or interacting with the EU.
While there is overlap between the Financial Conduct Authority's (FCA) operational resilience rules and DORA requirements, DORA's scope is broader, encompassing a wider range of financial activities and service providers, such as those in crypto-assets, crowdfunding, and data reporting. UK firms subject to operational resilience requirements have already undertaken significant preparations, such as identifying critical business services, dependency mapping, and scenario testing.
However, DORA introduces new elements, such as detailed operational resilience testing around ICT and threat intelligence sharing, which will require additional compliance efforts. Even large UK financial firms, already extensively regulated, will face challenges in aligning with DORA requirements, likely necessitating the adoption of the highest common denominator approach across their group.
DORA will serve as a catalyst for firms to integrate existing programmes, such as operational resilience, cloud transformation, and cyber transformation.
Want to learn more about Risk Management?
We’ve created a comprehensive Enterprise Risk Management roadmap to help you navigate the compliance landscape, supported by IIRSM-accredited e-learning in our Risk Management Course Library. The IIRSM approves quality content and integrates risk decision-making to help keep people and organisations safe, healthy and resilient.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.
