DORA Is Coming: Countdown to Digital Operational Resilience

Introduction

The Digital Operational Resilience Act (DORA) is set to become enforceable on January 17, 2025, marking a significant shift in how EU financial entities manage digital risks. This regulation mandates comprehensive frameworks to ensure that financial institutions can withstand, respond to, and recover from ICT-related disruptions.

What Is DORA and Who Must Comply?

DORA, officially Regulation (EU) 2022/2554, aims to harmonize digital operational resilience requirements across the EU financial sector. It applies to a broad spectrum of entities, including:

• Banks and credit institutions
• Insurance and reinsurance companies
• Investment firms
• Payment service providers
• Crypto-asset service providers
• ICT third-party service providers offering services to these financial entities

Even non-EU ICT service providers fall under DORA's scope if they offer services to EU-based financial entities. The regulation ensures that all critical participants in the financial ecosystem adhere to uniform standards for digital resilience.

The Five Pillars of DORA

DORA is structured around five key pillars:

1. ICT Risk Management Framework: Entities must establish and maintain robust frameworks to identify, protect against, detect, and recover from ICT-related incidents.
2. Incident Reporting: Significant ICT-related incidents must be reported to competent authorities promptly, following specified guidelines.
3. Digital Operational Resilience Testing: Regular testing, including threat-led penetration testing, is required to assess the effectiveness of ICT risk management frameworks.
4. Third-Party Risk Management: Entities must manage risks associated with ICT third-party service providers, ensuring contractual agreements include necessary provisions for security and resilience.
5. Information Sharing: Encourages the sharing of cyber threat information among financial entities to enhance collective resilience.

Current Readiness Levels and Common Gaps

Despite the looming deadline, many organizations are unprepared. Common gaps include:

• Inadequate ICT Risk Management Frameworks: Many entities lack comprehensive frameworks that meet DORA's requirements.
• Insufficient Incident Reporting Mechanisms: Organizations often lack the processes to detect and report incidents promptly.
• Lack of Regular Resilience Testing: Entities may not conduct the necessary testing to ensure their systems can withstand disruptions.
• Weak Third-Party Risk Management: Contracts with ICT service providers may not include the mandated provisions for security and resilience.

Addressing these gaps is crucial to achieving compliance and ensuring operational resilience.

Key Steps for Near-Term Compliance

To align with DORA's requirements, organizations should consider the following actions:

• Establish a DORA Compliance Team: Form a cross-functional team to oversee compliance efforts.
• Conduct a Gap Analysis: Assess current practices against DORA's requirements to identify areas needing improvement.
• Develop or Update ICT Risk Management Frameworks: Ensure frameworks are comprehensive and align with DORA's mandates.
• Enhance Incident Detection and Reporting Processes: Implement systems to promptly detect and report ICT-related incidents.
• Review and Amend Contracts with ICT Service Providers: Ensure contracts include necessary provisions for security, incident reporting, and resilience.
• Plan and Conduct Resilience Testing: Schedule regular testing, including threat-led penetration tests, to assess system robustness.

ICT Third-Party Management Under DORA

DORA places significant emphasis on managing risks associated with ICT third-party service providers. Key requirements include:

• Comprehensive Contractual Agreements: Contracts must outline clear provisions for security measures, incident reporting, and access rights for audits.
• Regular Monitoring and Assessment: Entities must continuously monitor the performance and risk profile of their ICT service providers.
• Exit Strategies: Organizations should have plans in place to transition services if a provider fails to meet contractual obligations or poses significant risks.

These measures aim to mitigate risks arising from dependencies on external ICT services and ensure continuity of operations.

Conclusion

DORA represents a significant advancement in the EU's approach to digital operational resilience. With the compliance deadline approaching, financial entities and their ICT service providers must take proactive steps to align with the regulation's requirements. By establishing robust risk management frameworks, enhancing incident response capabilities, and managing third-party risks effectively, organizations can not only achieve compliance but also strengthen their overall operational resilience in an increasingly digital financial landscape.