February 2024


Understanding DORA: Navigating the Digital Operational Resilience Act

“What is the Digital Operational Resilience Act (DORA), and what will be the impact on your business?” asks Claire Agutter as she discusses the new DORA regulations.

Claire Agutter

The watchdog organisation, Which?, has warned about the consequences of transitioning to digital payments, highlighting that many financial institutions report failures and outages daily. While major outages like TSB have gained attention in the news, Which emphasises that this is a daily occurring issue and urges consumers to be cautious, and the new DORA regulations should help financial institutions to minimise the risk of hefty fines, over £49m in TSB’s case.

DORA is a significant development in EU financial regulation – the Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554. DORA addresses a crucial gap in managing operational risk for financial institutions, focusing on the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents. DORA is binding and directly applicable in all EU Member States as a Regulation, not a Directive.

In this article, Claire Agutter will discuss how financial institutions managed operational risk before DORA mainly through capital allocation, but this did not comprehensively cover all components of operational resilience. DORA introduces rules for managing ICT risk, incident reporting, functional resilience testing, and third-party risk monitoring. It acknowledges that ICT incidents and a lack of operational resilience can jeopardise the stability of the entire financial system.

The financial landscape in the European Union (EU) is on the verge of a transformative shift with the imminent arrival of the Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554. This groundbreaking regulation aims to revolutionise financial institutions’ operational risk management, specifically focusing on the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents. In this article, Claire will look at the significance of DORA for businesses beyond the financial sector, exploring its implications and offering practical tips for compliance.

Traditionally, financial institutions managed operational risk through capital allocation. However, this approach fell short of ensuring comprehensive operational resilience. DORA fills this crucial gap by introducing rules for managing ICT risk, incident reporting, functional resilience testing, and third-party risk monitoring. The acknowledgement that ICT incidents can jeopardise the stability of the entire financial system underscores the urgency and importance of DORA.

What does DORA Mean for Your Business?

DORA establishes uniform requirements for the security of networks and information systems supporting the business processes of financial entities. Its scope extends beyond traditional financial institutions, encompassing non-traditional entities like crypto-asset service providers and crowdfunding platforms. Third-party service providers like cloud and data centres are also brought under the regulatory umbrella. DORA sets a deadline of January 17, 2025, for compliance, necessitating a strategic and timely approach for businesses to align with the new standards. But the question many have is, where do I start? Here are six practical steps for DORA Compliance:

  1. Review and Strengthen ICT Risk Management:

DORA places the responsibility on the management body of entities to define and execute appropriate ICT risk management strategies actively. Continuous risk assessments, cyber threat identification, and comprehensive frameworks are essential. As regulatory technical standards (RTS) are still being developed, businesses should stay informed and be prepared to align with forthcoming guidelines.

  • Establish Incident Reporting Procedures:

Covered entities must establish systems for monitoring, managing, logging, classifying, and reporting ICT-related incidents. The severity of incidents will dictate the necessity for reporting to regulators and affected parties. As rules on incident classification and reporting timelines are still pending, businesses should remain agile to adapt their incident reporting procedures accordingly.

  • Conducting DORA Testing:

Regular testing of ICT systems is a core requirement under DORA. Basic tests, vulnerability assessments, and scenario-based testing should be conducted annually. Financial entities with a critical role in the financial system must undergo threat-led penetration testing (TLPT) every three years. While technical standards for TLPTs are forthcoming, businesses should prepare for comprehensive testing to validate their systems’ resilience.

  • Monitoring and Managing:

One distinctive aspect of DORA is its extension to ICT providers servicing the financial sector. Financial entities must actively manage third-party ICT risk, negotiate specific contractual arrangements, and map dependencies. The European Commission is exploring standardised contractual clauses to facilitate compliance. Financial institutions must ensure their critical functions are not overly concentrated with a single provider, preparing for direct oversight from relevant ESAs for critical third-party service providers.

  • Informed and Engaged:

The evolving landscape of DORA requires businesses to stay informed about developments from European Supervisory Authorities (ESAs). Engagement with ESAs will be crucial for understanding and implementing regulatory technical standards (RTS) and implementing technical standards (ITS) once finalised.

  • The NIS 2 Directive:

DORA’s intersection with the Network and Information Systems Directive (NIS 2) adds another layer of complexity. Businesses should proactively understand and navigate the relationship between DORA and NIS 2, ensuring compliance with both frameworks.

Navigating the New Regulatory Landscape

As DORA reshapes the regulatory framework for ICT risk management in the EU, businesses must adapt swiftly to ensure compliance. The collaborative efforts of financial entities, ICT providers, and regulatory bodies will play a pivotal role in fortifying the resilience of the entire financial system. By incorporating the practical tips outlined above, businesses can meet the new requirements, enhance their overall operational resilience, and minimise the risk of hefty financial fines in a rapidly evolving digital landscape.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>




This site uses Akismet to reduce spam. Learn how your comment data is processed.