Opinion: What is DORA and why does it matter?
Claire Agutter is an experienced service management trainer, consultant and author, the founder of Scopism and publisher of the SIAM Foundation and Professional BoKs. For Infotec, she discusses the aims behind the European Union’s new Digital Operational Resilience Act (DORA), and its impact.
A recent report from the watchdog organisation Which? has urged caution about the consequences of transitioning to digital payments, highlighting that many financial institutions report failures and outages daily. While major outages like TSB have gained attention in the news, Which? emphasises that this is a daily occurring issue, advises consumers to be cautious, and says that the new Digital Operational Resilience Act (DORA) regulations should help financial institutions to minimise the risk of hefty fines – more than £49m in TSB’s case.
Photo by Alexandre Lallemand
What is this significant development in EU financial regulation?
DORA, Regulation (EU) 2022/2554, addresses a crucial gap in managing operational risk for financial institutions, focusing on the protection, detection, containment, recovery and repair capabilities against ICT-related incidents. DORA is ‘regulatory’ binding and directly applicable in all EU Member States.
However, how did organisations manage their operational risk before DORA? Although it was previously managed mainly through capital allocation, this did not comprehensively cover all components and ensure operational resilience. Now, through DORA, there are new rules for managing ICT risk, incident reporting, functional resilience testing, and third-party risk monitoring. DORA recognises that a lack of operational resilience can cause instability in the entire financial system when these incidents occur.
DORA brings a groundbreaking shift in regulation that aims to revolutionise financial institutions. It will transform operational risk management, specifically focusing on the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents. However, implementing DORA will reach far beyond the financial sector, with far-reaching implications for both private and public organisations.
What about DORA and the public sector?
With the implementation of DORA, there are now uniform requirements for the security of networks and information systems supporting the business processes of financial entities. Its scope extends beyond traditional financial institutions, encompassing non-traditional entities like crypto-asset service providers and crowdfunding platforms. Third-party service providers like the cloud and data centres are also brought under the regulatory umbrella. DORA sets a deadline for compliance on January 17, 2025, necessitating a strategic and timely approach for businesses to align with the new standards.
It can be challenging to know where to start. There are organisations who can help and advise but here are five first steps for DORA Compliance:
- Review and strengthen ICT risk management
DORA places the responsibility on the management body of entities to define and actively execute appropriate ICT risk management strategies. Continuous risk assessments, cyber threat identification and comprehensive frameworks are essential. As regulatory technical standards (RTS) are still being developed, businesses should stay informed and be prepared to align with forthcoming guidelines.
- Incident reporting
Covered entities must establish systems for monitoring, managing, logging, classifying and reporting ICT-related incidents. The severity of incidents will dictate the necessity for reporting to regulators and affected parties. As rules on incident classification and reporting timelines are still pending, businesses should remain agile to adapt their incident reporting procedures accordingly.
- DORA testing
Regular testing of ICT systems is a core requirement under DORA. Basic tests, vulnerability assessments and scenario-based testing should be conducted annually. Financial entities with a critical role in the financial system must undergo threat-led penetration testing (TLPT) every three years. While technical standards for TLPTs are forthcoming, businesses should prepare for comprehensive testing to validate their systems’ resilience.
- Monitoring
One distinctive aspect of DORA is its extension to ICT providers servicing the financial sector. Financial entities must actively manage third-party ICT risk, negotiate specific contractual arrangements and map dependencies. The European Commission is exploring standardised contractual clauses to facilitate compliance. Financial institutions must ensure their critical functions are not overly concentrated with a single provider, preparing for direct oversight from relevant ESAs for critical third-party service providers.
- Stay informed
In an evolving new landscape, DORA requires businesses to stay informed about developments from European Supervisory Authorities (ESAs). Engagement with ESAs will be crucial for understanding and implementing regulatory technical standards (RTS) and implementing technical standards (ITS) once finalised.
The NIS 2 Directive is where DORA’s intersection with the Network and Information Systems Directive adds further complexity. Both public and private sector organisations should proactively understand and examine how they will navigate and comply with these new frameworks.
Organisations must adapt swiftly to ensure compliance when new regulations are introduced. As DORA revises the regulatory framework for ICT risk management in the EU, there is a need for collaboration between those working in finance and ICT and those in regulatory bodies. All parties will play critical roles in future-proofing and securing the financial system. By incorporating the steps above, the public and private sectors can begin to meet the new requirements and minimise any risk of future fines in a rapidly evolving digital financial arena.
Want to find out more? Join our community for discussions about DORA at www.scopism.com
In related news:
Girls’ cyber security skills recognised at CyberFirst awards
Leave a Reply