Digital Operational Resilience Act (DORA) - How prepared is your firm?
Some thoughts from a few of us…
What is DORA?
The Digital Operational Resilience Act (DORA) is new EU legislation aimed at improving the resilience and security of the EU financial services sector. It can be seen as an extension of existing legislations such as the Network and Information Security Directive (NISD) and the General Data Protection Regulation (GDPR) that are already in place.
In November 2022 the European Council adopted DORA and firms will be expected to comply in stages with the Act from January 2023.
What is the aim of DORA?
Service delivery and security risks continue to pose a challenge to operational resilience, performance, and the stability of the EU financial system; DORA aims to address these risks. The regulators have pitched DORA as an opportunity for the EU, in the context of improved digitalisation, making ICT operations resilient in the face of severe operational disruption and cyber-attacks. The stated aim is to enable digitalisation to make the financial system as a whole more resilient, by ensuring resilience risks are kept suitably in check. The legislators take the view that by ensuring the security and stability of digitalisation in the finance sector they will create a level playing field for innovation and service delivery, improving the results for consumers.
What does this really mean for firms?
DORA aims to ensure that all financial services firms in the EU and their suppliers are applying diligence and are consistent in key service areas including cyber & IT risk management frameworks, incident reporting, operational resilience planning & testing, and oversight of third-party outsourcing of services. It allows the EU regulators to oversee firms that they deem critical, including relevant IT and service providers as well as the financial firms.
The legislation requires firms to standardise their procedures and processes in five key areas:
i. ICT risk management requirements: Demonstrate they have implemented a robust IT operational risk management framework with identification of cyber and IT risks backed by functioning and up to date controls to mitigate and reduce the risks. (Articles 4-14).
ii. ICT-related incident reporting: Ensure incidents are captured and reported with compliance to the regulatory harmonised central IT and cyber incident reporting. (Articles 15 to 20).
iii. Digital operational resilience testing: Planning for continuity and crisis management, backed by regular testing to assure operational resilience. (Articles 21 to 24)
iv. ICT third-party risk: Ensure that equivalent risk management, controls, testing, and monitoring are in place for all third party providers related to services. (Articles 25-39)
v. Information sharing: Share information and threat intelligence within the industry through the regulators with appropriate confidentiality protections. (Article 40)
Where does DORA apply and who does it apply to?
In short if you have a presence in financial services in Europe directly, or indirectly, it will apply to you, whether you are a financial services firm or a supplier to the sector.
DORA applies to all regulated financial firms in the EU. DORA impacts every financial market participant, this includes not only banks and investment firms, but also payments services providers, e-Money firms, crypto asset providers, insurance companies, trading venues and more.
DORA places stringent requirements on the supply chains to these firms to assure resilience of the offered financial services, therefore aspects of the Act by extension also apply to any suppliers to these firms of services that underpin the financial services they offer to consumers. By implication, firms supplying the financial marketplace are therefore also drawn directly into the scope of the Act, and the new EU regulations will give the financial sector regulators capacity to directly oversee, investigate and where necessary supervise the activities of any firm deemed critical to the financial services supply chain even if they are not currently a regulated financial services firm. Notably those firms supplying systems services, network connectivity and cloud services are in focus, but any firm that is part of a supply chain supporting financial services to consumers must be aware of the Act and ensure their compliance. See also the Shapes First insight “Third Party and Outsourcing – The Perfect Storm” including other initiatives covering the management of supply chains: https://www.shapesfirst.com/insights/third-party-and-outsourcing-the-perfect-storm
Does DORA apply to non-EU regulated firms?
DORA does not apply directly to UK, US or other non-EU regulated firms that only provide services in their home jurisdictions, but any of these firms providing services to an EU financial sector firm will need to comply with DORA.
For international financial services regulated firms, any intergroup services provided from their international entities to any EU based branches and subsidiaries within their structure, and likewise any contracts for services engaged in the home location but applicable within Europe, will need to be checked.
UK, US and international services and technology firms with clients in the European financial sector will be impacted and must ensure their services and contracts comply with DORA.
Many financial services firms in the UK will have already considered the resilience of their important business services as part of their compliance with the FCA’s Operational resilience regulations that came into effect in March 2022. Compared to DORA the FCA took a more consumer orientated view, placing requirements on the resilience of services to clients and the markets. However, many of the objectives and requirements of the two sets of regulations are similar, but the EU regulation places a much higher focus and specific diligence requirements on the supply chain and suppliers of services.
What should firms do now to prepare for DORA?
The emphasis of the regulation is on establishing firm-wide governance backed by policies and procedures aligned to the five key areas. The governance framework will not only apply to IT and IT security within the firm but will also have impact in aspects of firms’ business services that rely on IT services. Furthermore, risk, compliance, procurement, and legal departments will all have a role to play in implementing and complying with the regulations.
With the act adopted by the Council in November 2022, firms should have commenced their preparations. Based on the five key areas, we suggest that firms:
i. Review and Enhance Governance and Risk Management Frameworks: Review the governance structure surrounding their services to ensure clear roles and responsibilities are in place regarding aspects of service operational resilience. Enhance risk management frameworks and make sure that operational resilience, IT, and cyber related risks are identified and assessed with documented controls and monitoring in place to assure services to consumers.
ii. Enhance MI and Reporting: Institutionalise threat and incident reporting processes within the organisation with robust classification of threats and incidents, training for staff in the required processes to be ready for the obligation for industry-wide sharing through the regulators.
iii. Map Service Dependencies: Ensure that business services and functions are mapped to the key systems, IT infrastructure, and third-party services they rely on. Ensure that all links in the service chain have been examined for resilience and will comply with the regulatory requirements.
iv. Plan and Test Operational Resilience and Service Continuity: Review and enhance design and planning for crisis management and business service continuity with a focus on ensuring the provision of critical external services to clients. Underpin the continuity planning by regular testing to assure operational resilience.
v. Engage Third Party Providers: Use the mapping and related registries to ensure all third-party providers of services are complying with the resilience requirements. Enhance diligence on providers both through contracts and ongoing oversight, with appropriate MI in place. Work with providers to prove resilience planning through testing assurance.
Be prepared for the regulation: the authorities will have the right to review all documentation, come on-site for inspections, investigate issues, and enforce corrective measures. Ultimately the regulators could force the cessation of business services or apply fines for non-compliance. (Article 44 to 46).
In the coming weeks we will be publishing further information looking at the five key areas of DORA
At Shapes First we work with firms to give you the tools you need. If you would like to hear more about what we can do to help you, please get in touch at info@shapesfirst.com
For those interested in the perspective of the Bundesbank, a key player in the new regulation, the views of Joachim Wuermeling a Member of the Executive Board of the Deutsche Bundesbank are an interesting read here: