It’s been six months since the Digital Operational Resilience Act (DORA) came into effect, and many financial services organisations are working towards compliance with its requirements to meet the January 2025 deadline.
In this month’s newsletter, we focus on answering key questions surrounding the DORA and its requirements. We also explore its relationship with the Network and Information Security Directive (NIS2) and highlight steps that organisations can take to establish a roadmap towards compliance.
DORA endeavours to tackle the fragmentation in Information and Communications Technology (ICT) risk management frameworks within the financial sector by establishing a unified and harmonised regulatory framework focused on digital operational resilience.
Under this regulation, all firms subject to its provisions must demonstrate their ability to effectively handle various ICT-related disruptions and proactively mitigate cyber threats throughout each stage of their lifecycle.
By implementing this comprehensive approach, DORA aims to foster a more cohesive and robust resilience landscape across the financial industry.
1. What is DORA?
DORA is a European Union (EU) regulation designed to strengthen operational resilience for financial institutions, empowering them to effectively withstand and recover from disruptions. It took effect on January 16, 2023, and financial institutions that operate in the EU must comply by January 1, 2025.
2. What is the objective of DORA?
DORA’s primary objective is to consolidate and elevate ICT risk requirements within the EU financial sector to help safeguard against cyber-attacks. It aims to subject in-scope financial entities, including banks, insurance companies, and investment firms, to uniform rules that effectively mitigate ICT-related operational risk. Through these measures, DORA seeks to enhance the overall resilience and security of the financial industry.
3. Does it only apply to financial services organisations?
While aimed at EU financial services, DORA’s impact extends beyond these institutions to encompass critical suppliers serving the financial sector. Any third-party ICT service providers in the financial industry assessed as “critical” by any of the European Supervisory Authorities (ESA) will be subject to a supervisory framework. Under this framework, the ESAs will be endowed with extensive authority, enabling them to request information, carry out investigations and inspections, issue recommendations and in cases of non-compliance, levy financial penalties on critical ICT third-party service providers.
4. Does it apply to UK financial institutions after Brexit?
Although DORA is an EU regulation, its scope extends beyond the borders of the EU. Therefore, even if an organisation is located outside of the EU, it will fall within the scope of the regulation if it operates in the EU or delivers services to a financial institution that operates in the EU.
For example, if a UK-based bank serves customers in the EU, they may still be subjected to DORA’s requirements. However, most UK organisations that are then impacted by DORA should already have gone through their own operational resilience project and should, therefore, be able to reuse specific parts.
5. What are the key requirements of DORA?
DORA sets forth 5 key pillars of requirements, each encompassing specific underlying mandates that must be fulfilled. These 5 pillars form the foundation of the regulation and outline the essential components to which financial institutions must adhere.
The 5 pillars are:
- Risk Management and Governance
Financial institutions are required to utilise and maintain reliable systems, protocols, and tools, ensuring sufficient reliability, capacity, and resilience to effectively handle ICT risks. DORA mandates the implementation of a robust governance and control framework for ICT risk management. The framework should be proportionate to the organisation’s risk profile and emphasise the accountability of leadership for the effective delivery of ICT risk management and governance.
- Operational Resilience Testing
DORA mandates comprehensive digital operational resilience testing of ICT tools, systems, methodologies, practices, and processes to proactively identify and rectify issues before they pose a threat to operations. Therefore, organisations must establish and maintain a robust and inclusive testing programme, employing a risk-based approach and engaging independent testers. Independent parties that conduct testing help to ensure objectivity.
- Incident ResponseDORA emphasises a uniform and cohesive approach to detect, manage, and report ICT-related incidents. Organisations must establish a compliant process for detecting, managing, notifying, and documenting any ICT-related incident. They should develop classification criteria based on the incident’s criticality and prepare protocols for reporting major ICT-related incidents, including client notification and management of outsourcing reporting obligations if applicable.
- Threat Intelligence sharingDORA requires financial entities to share cyber threat-related information and intelligence, fostering the development of information-sharing arrangements with other financial institutions concerning cyber threats. To assist, the EU has already proposed the establishment of the Joint Cyber Unit, aiming to strengthen cooperation among EU Institutions, Agencies, Bodies, and the authorities in the Member States.
- Third-party Risk Management
DORA places significant focus on the management of third-party risk through the implementation of comprehensive risk assessment and monitoring processes. These include processes to regularly assess the risk posed by third parties, report any risks and processes for ending the relationship and transitioning to more suitable providers.
6. DORA versus the Information Security Directive (NIS2)?
DORA and NIS2 complement each other rather than compete. NIS2 is designed to enhance the overall cybersecurity level in the EU, while DORA specifically focuses on ensuring the functional continuity of the financial system during cyberattacks.
The NIS2 Directive plays a crucial role in harmonising cyber security standards across the EU. Its primary objective is to elevate the level of digital security for companies and organisations essential for the smooth functioning of our society. On the other hand, the DORA regulation is dedicated to fortifying the digital operational resilience of the financial sector, guaranteeing that financial entities can withstand and operate even during cyber-attacks.
7. Is DORA or NIS2 a priority?
If your organisation falls within the scope of DORA, then it takes priority over NIS2. DORA is “lex specialis” of NIS2, a legal principle which states that a specific law takes precedence over a general one when there is a conflict between the two.
This is evident from the following within DORA in relation to its relationship with NIS2 (Directive 2022/2555):
“This Regulation constitutes lex specialis with regard to Directive (EU) 2022/2555. At the same time, it is crucial to maintain a strong relationship between the financial sector and the Union horizontal cybersecurity framework as currently laid out in Directive (EU) 2022/2555”
8. Where do I start with DORA compliance?
- If you haven’t already done so, conduct a DORA assessment to identify any gaps and determine the effort required for remediation before the deadline.
- Develop a comprehensive remediation roadmap and establish a dedicated programme directorate to aid in planning, facilitating, and monitoring the implementation process. Due to the regulation’s complex requirements that impact various aspects of the business, the workload and complexity may exceed what business-as-usual (BAU) teams can handle.
- Assemble a cross-functional team comprising experts in risk management, business continuity, cybersecurity, legal, and compliance to lead the implementation process effectively.
- Don’t be deceived by the relatively long implementation period. The extended timeline is necessary because it involves multiple teams within the organisation collaborating to deliver the required changes.
- Prioritise addressing third-party risks, as rectifying issues within your organisation might be more manageable than with third-party suppliers, especially those unaccustomed to heavy regulatory pressure or operating in a highly regulated environment.
- Utilise automation to streamline processes. Given the substantial reporting requirements, employing technology tools can simplify and expedite reporting tasks.
- Ensure thorough evidence capture. DORA encompasses not only designing controls but also operational management of the controls to meet auditability standards.
9. How can ThreeTwoFour help?
We have significant experience in the delivery of large-scale transformation programmes. Our team of regulatory specialists, operational resilience experts, and cyber security professionals are well-equipped to help you with your DORA compliance journey.
Whether it’s conducting gap assessments, developing remediation strategies, or overseeing the implementation of controls, we are well-prepared to provide support.
Read more here about our related services:
- Programme Management and Delivery
- Risk Management Framework
- Technology Risk and Control Culture
- Health checks
- Internal Audit
Follow ThreeTwoFour on LinkedIn for the latest trends and team updates.
To join our InfoSec Leaders Events (where we focus on what every InfoSec Leader needs to know to manage Tech Risk) – subscribe to our newsletter below.