Financial Services Ireland

Operational Resilience

How should financial entities best prepare for the Digital Operational Resilience Act (DORA)?

Read more

On 10 November 2022, the Digital Operational Resilience Act (DORA) was approved at the European Parliament’s (EP) plenary session.  DORA will make the compliance and regulatory landscape of the financial services (FS) sector more homogenous with regards to digital resilience, the management of ICT-related risks and cyberthreats.

DORA is designed to ensure financial entities focus on a Digital Resilience Strategy accompanied by a Digital Resilience Framework.  Therefore, it requires an end-to-end view of the entire ICT landscape that supports critical business functions, as well as a mature approach to Business Continuity Management, ICT Incident Management and ICT Third Party Risk Management.

DORA will effectively constitute law.  It has entered into force on 16 January 2023 following which firms now have a 24-month period to achieve the required compliance (by 17 January 2025).  It remains undetermined as to how exactly DORA will affect the FS industry.  CIOs and CISOs continue to display concerns as to how DORA will shape the market.  And most importantly, financial entities are still struggling with understanding clearly what they should do to prepare for such a demanding change.

A shift from compliance to a “resilience- and risk-centric approach”

The main purpose of DORA is to make sure that digital resilience policies and frameworks, as well as their governance, be integrated into an overarching Digital Resilience Strategy at an institution-wide level.  This calls for a shift in responsibilities, culture, mindset and governance.  DORA places emphasis on the role of the management body.  CEOs and Executive Committees are the main stakeholders responsible and accountable to define this strategy.  Therefore, they should prioritise Digital Resilience as a key element on their upcoming roadmaps and agendas as this requires major coordination between all departments within institutions and cannot be achieved overnight.

To ensure digital resilience, DORA emphasises 6 key domains:

  1. Governance & Organization;
  2. ICT Risk Management Framework;
  3. ICT Incident Management, Classification & Reporting;
  4. Digital Operational Resilience Testing;
  5. ICT Third-Party Provider Risk Management; and
  6. Information Sharing.

For each of these areas, DORA includes specific requirements that need to be embedded into the company’s “people, processes and products”.  This requires institutions to align their current frameworks and governance to European Supervisory Authorities’ (ESAs) expectations and embed the current and upcoming Regulatory Technological Standards (RTSs) and Implementation Technical Standards (ITSs) imposed by DORA into their overarching risk management practice.

Closer collaboration with ESAs and stronger controls

The predominant message coming out of the 64 articles of DORA is that the ESAs will play a key role in ensuring overall market digital resilience.  Financial entities can expect higher supervision from the ESAs and stronger controls overall with specific obligations such as:

  • defining specific policies around the 6 domains (and their sub-domains) listed above;
  • implementing a mature ICT Risk Management Framework aligned to industry leading practice frameworks and standards;
  • sharing mandatory reporting for major ICT-related incidents;
  • designing robust Business Continuity Plans (BCPs) and IT Disaster Recovery Plans (ITDRPs); and
  • performing mandatory annual resilience testing approved by the Executive Committee.

The ESAs are expecting a whole new range of reporting and communication from financial entities, a source of information that will aim to deepen the collective knowledge of EU cyber intelligence.

One of the major changes to be faced by financial entities is in the area of Digital Operational Resilience Testing, and in particular, the requirement for Thread-Led Penetration Testing (TLPT).  DORA prescribes two categories in this area:

  • Mandatory annual internal testing with a report of the results to be provided to the ESAs (following a specific format provided by the regulator).  It is applicable to all actors of the financial sector.
  • Advanced testing by means of TLPT to be performed at least every 3 years.  This is applicable to companies according to specific criteria that the regulator will define in the coming months.  This advanced testing, to be conducted by an external entity, will allow the ESAs to issue a certificate stating the entity’s compliance regarding penetration testing.  Failing to obtain it could result in a potential halt of the company’s activities.

How to prepare for DORA compliance, within the tight deadlines?

With the Act approved, the European Commission (EC) and ESAs have foreseen a period of two years (across 2023 and 2024) for companies to prepare for DORA and to implement it.  This period will see the ESAs further defining the needed RTSs and ITSs and making requirements clearer and more concrete.  It will be a crucial time for companies to align their governance and practices to DORA’s resilience pillars and to identify a roadmap with key deliverables to materialise their digital resilience strategy.

Financial entities can prepare for this through an initial gap assessment, starting with an analysis of the company profile, which will define their current level of maturity, including compliance with existing guidelines (most common references include ESA Guidelines (e.g. the EBA’s Guidelines on ICT and Security Risk Management), the EC’s NIS 2, the ECB’s Cyber Resilience Oversight Expectations (CROE), etc.) and with existing ICT Risk Management Strategy and standards (such as ITIL, COBIT, NIST CSF, ISO 27001, etc.).  This will help identify a “delta” in DORA requirements and lay out a roadmap analysing the priorities and efforts needed to constitute a sound Digital Resilience strategy and framework.  As regulators will further define new RTSs and ITSs, this strategy and newly-defined framework should be agile in order to accommodate any new requirements that emerge.

The Act comes into force from 17 January 2025.  From this date, ESAs will expect the mandatory reports outlined by DORA to be available upon request and will use them to assess any gaps in the market.  By the end of 2025, mandatory penetration testing will come into force and certification by ESAs will have to be obtained.

Regulators confirmed that DORA will, by default, become the lex specialis, preceding any overlapping regulatory texts such as NIS or ESA guidelines.  Financial entities should keep this in mind when performing an internal assessment of their regulatory compliance and use DORA as the main reference to avoid further unforeseen gaps when DORA comes into force in 2025.

DORA, in theory, should result in more resilient companies, but at what cost?

The requirements and expectations laid out by DORA will impact the FS sector as a whole.  Becoming digitally-resilient may represent a costly endeavour and while DORA will translate into a more robust EU FS sector, financial entities are rightfully concerned about the financial implications of such a regulation, particularly on small to medium enterprises (SMEs).

Regulators have foreseen the concept of proportionality in the application of such regulation to tackle these concerns.  To establish a safer and more competitive market, the ESAs, when regulating financial entities, will consider aspects such as the company size, its complexity and the services provided.  Besides size and complexity, there is another determining factor that provides some insight into the financial implications of DORA, which is the maturity profile and level.  Companies with lower maturity in their governance and internal practices will have to further invest resources and money to acquire the capability and capacity to answer to the challenge DORA represents.  Therefore, tackling this at an early stage is key in succeeding, as a reactive approach will always be more costly than a preventive attitude.

Where can EY help?

At EY, we have a dedicated Technology & Cyber Risk Consulting team focusing on DORA with the capabilities needed:

  • to perform the required DORA gap assessments from a regulatory and technical perspective;
  • to evaluate the maturity and resilience capabilities of firms; and
  • to help define and implement a roadmap to align with ESAs expectations.

We also deliver the expertise to establish a Digital Resilience Strategy and Framework, enabling financial entities to meet their mandatory reporting and testing requirements (i.e. from ICT Third Party Risk Management to the Digital Operational Resilience Testing).

Our service offering is tailored, targeting our clients’ specific needs based on their structure, level of complexity and expectations.

If you have questions regarding DORA and its potential impact, feel free to reach out to David Spollen.  We are always happy to contribute to Europe’s Digital Operational Resilience and strengthening the financial industry through collaborations and our services.

David Spollen

Director, Technology Risk
David's Full Profile