Regulations Series – DORA – Ep.1
Starter Handbook
In a bid to shield the financial sector from the ever-growing dangers brought on by digital vulnerabilities, the Digital Operational Resilience Act (DORA) emerges as a pivotal piece of legislation within the European Union’s array of regulations. Slated for enforcement starting January 2025, DORA introduces a holistic framework that champions a cohesive strategy to bolster operational resilience, emphasizing the critical need for financial institutions to robustly confront and curtail risks associated with information and communication technologies. But it is more than just ticking boxes for compliance; adopting rigorous cybersecurity practices is a strategic necessity. It is about ensuring that financial organisations are not only equipped to endure but also swiftly bounce back from tech-related upheavals, thus preserving the fabric of market stability and maintaining consumer confidence.
As DORA approaches, compliance officers in finance must grasp and adapt to its wide-reaching mandates. This regulation affects everyone, from traditional financial mainstays to more unconventional players and third-party tech providers. It demands a proactive update to digital risk management tactics. By integrating DORA’s requirements with current policies, compliance officers aren’t just filling in the blanks – they are fortifying their organizations against digital threats. This journey towards compliance, while challenging, sets the stage for enhanced cybersecurity, governance, and incident response, reinforcing a durable infrastructure at the intersection of finance and technology.
This summary emphasizes elements of DORA crucial for compliance officers, suggesting a deeper exploration of the regulation[1] for a full grasp of its scope and implications.
Developing a Comprehensive Compliance Roadmap
With a focus on ensuring operational continuity amidst disruptions, DORA sets forth a uniform framework to address the challenges ushered by increased digitalisation and interconnectedness in financial services. It mandates financial entities to establish resilient ICT risk management practices, thereby preserving market integrity and consumer confidence.[2]
To navigate the complexities of DORA compliance, a structured roadmap tailored for compliance managers is imperative. This begins with a comprehensive review of existing practices, assessing their robustness against the regulation’s requirements:
- Initial assessment: Conduct a thorough evaluation of current ICT risk management frameworks, policies, and procedures, along with existing third-party contracts.
- Gap identification: Map DORA’s mandates against the entity’s existing policies and practices to pinpoint areas of non-conformance or inadequacy.
- Action plan development: Formulate a strategic action plan to address the identified gaps, including timelines, responsible parties, and performance indicators to ensure effective implementation and compliance.
- Implementation and continuous improvement: Execute the previously defined plan with a focus on strengthening the entity’s digital operational resilience. Regular monitoring and iterative improvements based on emerging technologies and evolving cyber threats are crucial to maintaining compliance and ensuring the effectiveness of the implemented measures.
Conducting a Thorough Gap Analysis
When performing the gap analysis to evaluate how your organisation’s existing practices measure up against the rigorous standards outlined in DORA, it is essential to identify key areas to focus on:
- ICT risk management framework[3]: first, evaluate the comprehensiveness and effectiveness of your organisation’s policy in identifying, assessing, mitigating, and monitoring ICT risks; then assess whether your company has established a formal digital operational resilience strategy and testing program[4].
- Third-party risk management: review your organisation’s policies and procedures for managing third-party ICT service providers, including due diligence, contract management, and oversight mechanisms[5]; ensure that the company has appropriate controls in place to address ICT third-party risks and dependencies[6].
- Business continuity and incident response: evaluate the adequacy of the ICT business continuity plans, including provisions for critical functions outsourced to third-party service providers[7]; assess the effectiveness of the incident response and recovery plans, in relation to ICT-related incidents and disruptions[8].
- Access control and authentication mechanisms: review your organisation’s access control policies and procedures to ensure that access to information assets and ICT systems is restricted to authorised personnel only[9]; evaluate the strength and effectiveness of authentication mechanisms used to verify the identity of users accessing ICT systems and sensitive data[10].
- Change management and patch management: assess your company’s change management processes to ensure that changes to ICT systems are controlled, documented, and tested before implementation[11]; review your organisation’s patch management practices[12] to ensure timely application of security patches and updates to address vulnerabilities in ICT systems.
- Training and awareness programs: evaluate the existence and effectiveness of ICT security awareness programs and digital operational resilience training for staff and management; ensure that employees are adequately trained to recognise and respond to ICT risks and incidents[13].
Leadership Oversight and Information Sharing
While implementing DORA in your organisation, it is essential to grasp the implications of this regulation in the realm of leadership engagement in ICT risk management. This component of the regulation elevates the responsibility of board members, executive leaders, and senior managers, highlighting the necessity for these leaders to possess a comprehensive understanding and capability to assess ICT risks and their potential impact on the organisation’s operations[14]. The active involvement of the management body[15] is essential in steering the ICT risk management framework and adapting the overall digital operational resilience strategy to emerging threats and technological advancements.
According to Deloitte,[16] this means that Boards and executive leaders will need to “be able to articulate how up-front costs are balanced out by having a more resilient operating model that stands up to increasing regulatory scrutiny over time”.
Furthermore, the emphasis DORA places on the exchange of threat and vulnerability intelligence[17] presents a strategic opportunity to bolster your institution’s defences against cyber threats. Engaging in collaborative information-sharing networks or platforms can provide valuable insights into emerging threats and best practices in risk mitigation, enhancing your institution’s ability to pre-emptively address potential vulnerabilities and contributing to the overall resilience of the financial sector.
Conclusion
The introduction of DORA is a critical juncture in digital finance, urging financial institutions to adopt a proactive and agile compliance approach. This not only offers a competitive edge but also strengthens operational resilience and cybersecurity, enhancing market reputation, stakeholder confidence, and operational efficiency. This approach positions institutions as industry leaders, making resilience a fundamental aspect of their identity in the digital finance era.
Featured image source : Midjourney
[1] Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance) (Last accessed: 28th of March 2024) https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32022R2554
[2] For more information: IBM “What is the Digital Operational Resilience Act (DORA)?” (Last accessed: 28th of March 2024) https://www.ibm.com/topics/digital-operational-resilience-act
[3] See Article 6 of the Regulation on the “ICT risk management framework”: “1. Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively and to ensure a high level of digital operational resilience.”
[4] See Article 6.8: “The ICT risk management framework shall include a digital operational resilience strategy setting out how the framework shall be implemented”.
[5] See Article 28 on the “General principles” for a sound management of ICT third-party risk.
[6] See Article 8 and 11.5.
[7] See Article 11.4.
[8] See Article 11.3: “As part of the ICT risk management framework referred to in Article 6(1), financial entities shall implement associated ICT response and recovery plans which, in the case of financial entities other than microenterprises, shall be subject to independent internal audit reviews.”
[9] See Article 9.
[10] See Article 9.4(d): “As part of the ICT risk management framework referred to in Article 6(1), financial entities shall implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes;”
[11] See Article 8.3: “Financial entities, other than microenterprises, shall perform a risk assessment upon each major change in the network and information system infrastructure, in the processes or procedures affecting their ICT supported business functions, information assets or ICT assets.
[12] See Article 9.4(f): “As part of the ICT risk management framework referred to in Article 6(1), financial entities shall have appropriate and comprehensive documented policies for patches and updates.’
[13] See Articles 5.2(d), 5.4, 13.6, and 16.1(h)
[14] See Article 5.4: “Members of the management body of the financial entity shall actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis, commensurate to the ICT risk being managed.”
[15] See Recital 45.
[16] Suchitra Nair and Scott Martin (02 December 2022) “The EU Digital Operational Resilience Act (DORA) is here: what are its strategic implications for the Boards of FS firms?” (Last accessed: 28th of March 2024)
https://www2.deloitte.com/uk/en/blog/emea-centre-for-regulatory-strategy/2022/the-eu-digital-operational-resilience-act-dora-is-here.html
[17] See Recital 34.
_______________
For expert guidance on DORA compliance and implementation strategies, explore the resources provided by our Leadership Circle Partners and Associate Partners at LHoFT, in navigating the complexities of digital operational resilience.