As cyber incidents continue to be an issue for financial services firms, cybersecurity and IT management are more important than ever. The European Union (EU) has taken action by introducing a risk management framework for the financial sector.
DORA came into effect on 16 January 2023 and will apply to a wide range of financial institutions starting from 17 January 2025.
Exploring Digital Operational Resilience Act (DORA)
- What is DORA?
- Who does DORA apply to?
- Why was the DORA regulation created?
- What are the components of the DORA framework?
- What are DORA compliance requirements?
- What does DORA mean for UK firms?
- What does DORA mean for non-financial services firms?
- How can your firm achieve DORA compliance?
What is DORA?
The Digital Operational Resilience Act (DORA) is an EU regulation establishing a mandatory ICT risk management framework for the financial sector. DORA establishes a unified framework for "financial entities" to manage risks related to IT, data, and digital operations.
It sets technical standards for these financial entities and their critical third-party technology service providers to enhance the resilience of networks and information systems against digital risks. This directive aims to strengthen digital resilience across the EU's financial sector.
Similar to the new rules introduced by the U.S. Securities and Exchange Commission (SEC), DORA assigns ultimate responsibility to boards of directors for the effectiveness of their firms' technical cybersecurity strategies. This makes cybersecurity a crucial aspect of business governance.
Who does DORA apply to?
DORA's technical standards must be implemented by 17 January 2025. This applies to the EU financial sector, where financial entities and their third-party technology providers must implement in their ICT systems.
Financial institutions encompass traditional entities like banks, investment firms, and credit institutions, as well as non-traditional ones such as crypto-asset service providers and crowdfunding platforms.
In addition to the abovementioned institutions, those affected by DORA include:
- Central securities depositories
- Central counterparties
- Account information service providers
- Payment institutions and electronic money institutions
- Trading venues and trade repositories
- Administrators of critical benchmarks
- Credit rating agencies
- Data reporting service providers
- Institutions for occupational retirement provision
- Insurance and reinsurance undertakings
- Managers of alternative investment funds (AIFMs) and management companies
- Securitisation repositories
It also extends to entities usually excluded from financial regulations, including third-party service providers supplying ICT systems and services, such as cloud service providers and data centres. Additionally, firms offering critical third-party information services, like credit rating services and data analytics providers, must comply with DORA requirements.
Why was the DORA regulation created?
DORA was created to address ICT risk management in the EU financial sector and harmonise the varying regulations across member states. Before DORA, EU financial regulations relied on capital to cover operational risks, with inconsistent guidelines on ICT and security risk management that varied by country.
This patchwork of regulations was challenging for financial entities to navigate. DORA aims to establish a universal framework, eliminating regulatory gaps, overlaps, and conflicts and ensuring all financial institutions adhere to the same standards, thereby enhancing the overall resilience of the EU financial system.
What are the components of the DORA framework?
DORA sets technical requirements for financial entities and ICT providers in a few key areas:
ICT risk management and governance
All financial entities must identify and assess their ICT risk landscape and establish a comprehensive ICT risk management framework. This framework should govern and direct all ICT risk management activities.
Except for microenterprises, financial entities must ensure adequate separation and autonomy among their ICT risk management, control, and internal audit functions, following either the three lines of defence model or an internal risk management and control model.
Incident management, response, classification and reporting
Financial entities must establish a process for managing ICT-related incidents, including the capability to monitor, manage, and track these incidents. Significant incidents must be reported to the relevant competent authority.
Incident classification should follow regulatory criteria, considering the geographical impact, the criticality of affected services, and the incident's duration.
Digital operational resilience testing
Entities must regularly test their ICT systems to evaluate protections and identify vulnerabilities, reporting results and remediation plans to the relevant authorities. Annual tests, such as vulnerability assessments and scenario-based testing, are required.
Additionally, entities deemed critical to the financial system must undergo threat-led penetration testing (TLPT) every three years, with their critical ICT providers participating. Specific standards for TLPT are forthcoming, likely aligning with the TIBER-EU framework for threat intelligence-based ethical red-teaming.
Third-party risk management
A unique aspect of DORA is its applicability to both financial entities and their ICT providers. Financial firms must actively manage ICT third-party risks, ensuring that outsourcing contracts for critical functions include specific provisions for exit strategies, audits, and performance targets for accessibility, integrity, and security.
Contracts with ICT providers that fail to meet these requirements are prohibited, and competent authorities can suspend or terminate non-compliant contracts. Financial institutions must also map their third-party ICT dependencies, ensuring that critical functions are not overly reliant on a single provider or small group of providers.
Relevant European Supervisory Authorities (ESAs) will directly oversee critical ICT third-party service providers, with criteria for determining critical providers still under development. Lead overseers will enforce DORA requirements on these providers and can prevent them from entering into non-compliant contracts with financial firms or other ICT providers.
ICT third-party providers' oversight framework
DORA grants extensive supervisory powers to ESAs over Critical ICT Third-Party Providers (CTPPs), enabling them to assess, request changes in security practices, and impose sanctions. Safeguards ensure that suspending or terminating contracts with CTPPs is an exceptional measure, considering sector-wide implications.
The Joint Oversight Forum (JOF) will play a key role in setting resilience standards for CTPPs, enhancing the oversight structure. Additionally, DORA's implementation includes developing draft regulatory technical standards (RTS) and implementing technical standards (ITS) to provide detailed guidelines for financial entities.
Information sharing arrangements
While information sharing is encouraged, it is not mandatory.
Financial institutions are urged to share cyber threat information and intelligence with each other, provided this exchange occurs within trusted communities, enhances the digital operational resilience of the entities involved, and complies with relevant legislation.
The enforcement of these requirements will be proportionate, with smaller entities facing less stringent standards than larger financial institutions. Although the specific Regulatory Technical Standards (RTSs) and Implementing Technical Standards (ITSs) are still being developed, the current DORA legislation provides a general outline of the expected requirements.
Regulatory Technical Standards (RTS)
DORA sets out Regulatory Technical Standards (RTS) that provide detailed requirements for financial entities. These standards are crucial for maintaining consistency and ensuring that all institutions adhere to the same level of operational resilience.
What are DORA compliance requirements?
Compliance with DORA involves adhering to several regulatory standards and practices:
- Governance and control
Establishing a robust governance framework to oversee ICT risk management. - Operational resilience strategy
Developing and maintaining a strategy that ensures business continuity. - Regular audits
Conducting regular audits to assess the effectiveness of the resilience framework.
What does DORA mean for UK firms?
For UK firms, DORA signifies a significant development in regulatory oversight, although it does not directly apply in the UK.
While UK authorities already have requirements for regulated firms regarding outsourcing and operational resilience, DORA introduces additional considerations, particularly for firms operating within or interacting with the EU.
While there is an overlap between the Financial Conduct Authority's (FCA) operational resilience rules and DORA requirements, DORA's scope is broader, encompassing a wider range of financial activities and service providers, such as those in crypto-assets, crowdfunding, and data reporting. UK firms subject to operational resilience requirements have already undertaken significant preparations, such as identifying critical business services, dependency mapping, and scenario testing.
However, DORA introduces new elements, such as detailed operational resilience testing around ICT and threat intelligence sharing, which will require additional compliance efforts. Even large UK financial firms, already extensively regulated, will face challenges in aligning with DORA requirements, likely necessitating the adoption of the highest common denominator approach across their group.
DORA will serve as a catalyst for firms to integrate existing programmes, such as operational resilience, cloud transformation, and cyber transformation.
What DORA means for non-financial services firms?
The impact of DORA extends to non-financial services firms, too, particularly those that provide critical services to the financial sector, such as IT service providers. Here's what DORA means for non-financial services firms:
1. Critical third-party providers
DORA directly affects non-financial firms that offer technology or outsourcing services to financial institutions, such as cloud providers, IT infrastructure firms, or data analytics services.
These firms will need to ensure they meet stringent operational resilience requirements because financial institutions rely on them. DORA classifies some of these entities as “critical third-party providers” (CTPPs), subjecting them to regulatory oversight.
2. Compliance with financial sector standards
Non-financial service providers working with financial institutions must adhere to new standards related to ICT risk management, incident reporting, and cybersecurity.
They need to demonstrate robust security and resilience mechanisms and comply with service level agreements (SLAs) that align with DORA’s resilience standards.
3. Increased regulatory scrutiny
If a non-financial services firm becomes a designated critical provider under DORA, it could be subject to oversight by the European Supervisory Authorities (ESAs) or other financial regulators. This could involve audits, compliance checks, and the obligation to provide reports on operational resilience.
4. Incident reporting
Even if a non-financial services firm is not directly regulated under DORA, any operational failures that affect a financial institution's services (such as system downtime or security breaches) may trigger mandatory incident reporting under DORA’s requirements. This could lead to more frequent interactions with financial regulators.
5. Contractual implications
Financial institutions will likely require their non-financial third-party providers to agree to contractual terms that ensure compliance with DORA, including provisions for incident response, data protection, and operational continuity. Non-financial firms may need to review and adjust their contracts and internal processes accordingly.
6. Cross-border implications
DORA aims to establish consistent resilience standards across the EU. For non-financial firms that operate across borders or serve multiple financial institutions in the EU, they will need to ensure their resilience and cybersecurity measures are uniform and compliant with DORA regulations across the entire region.
While DORA directly targets the financial sector, non-financial services firms that provide critical services to financial institutions will be impacted by increased compliance, oversight, and the need to bolster their own operational resilience to meet the regulatory demands of their clients in the financial sector.
How can your firm achieve DORA compliance?
Achieving DORA compliance involves several key steps. First, firms need to familiarise themselves with DORA's specific requirements and how they apply. It is important for firms to develop a comprehensive compliance strategy to outline how these obligations will be met.
Leveraging advanced technologies is essential to enhance operational resilience, and institutions must regularly review and update their resilience frameworks to ensure ongoing compliance.
Want to learn more about Risk Management?
We’ve created a comprehensive Enterprise Risk Management roadmap to help you navigate the compliance landscape, supported by IIRSM-accredited e-learning in our Risk Management Course Library. The IIRSM approves quality content and integrates risk decision-making to help keep people and organisations safe, healthy and resilient.
We also have 100+ free compliance training aids, including assessments, best practice guides, checklists, desk aids, eBooks, games, posters, training presentations and even e-learning modules!
Finally, the SkillcastConnect community provides a unique opportunity to network with other compliance professionals in a vendor-free environment, priority access to our free online learning portal and other exclusive benefits.