Complying with DORA – steps for financial institutions to take

The Digital Operational Resilience Act (DORA) is an EU regulation that aims to strengthen the operational resilience of the financial sector and ensure continuity of critical services.

It covers a wide range of financial institutions and service providers, setting out only a short list of entity types not within its scope.

With DORA now in force, a two-year window has opened from when it is to apply in full. The expectation for financial institutions is to now use this period to prepare effectively.

In line with UK Finance’s recommendations, here are some key steps that we recommend are taken:

1. Determine if your organisation is in scope

Understanding the scope of DORA requires more analysis than simply checking the list of in-scope entities. Consideration should also be given to its geographical reach and the extent to which any entities within a group structure are caught.

As part of the initial scoping exercise, also consider the extent to which contracts with ICT third party providers are in-scope and how their subcontracting arrangements may be impacted.

As is the case with existing regulatory frameworks, intra-group arrangements will be subject to DORA and not necessarily treated as “less risky”.   

2. Nominate a DORA champion or lead project manager

DORA sets out specific tasks for various functions and personnel to complete. This includes oversight by the “management body”, requirements for senior and third-party risk managers and communications leads and specific requirements for ICT risk management, control, internal audit, media and crisis management functions.

To effectively coordinate this activity, it is important to designate a DORA champion or project lead who will engage across the organisation on readiness and compliance.

3. Understand the five pillars of DORA

DORA compartmentalises digital operational resilience into five areas – risk management, incident reporting, digital operational resilience testing, ICT third-party risk management, and information and intelligence sharing.

Risk management: DORA may require changes to be made to a financial institution’s overall risk management framework. A review of governance arrangements, policies, controls and risk assessment and mapping activities may be required to align current practices with DORA’s specific requirements.

Incident reporting: DORA introduces new requirements for preparing for, responding to, and reporting on major ICT incidents. This regime is broader than GDPR as it covers ICT incidents and not only (personal) data breaches. Consideration will also need to be given to voluntary arrangements to report cyber threats as opposed to incidents.

Resilience testing: Threat-led penetration testing on live production systems features as one aspect of DORA’s approach to detecting and mitigating vulnerabilities, adverse events and cyber-attacks. As part of a broader digital operational resilience testing programme all ICT systems and applications supporting critical or important functions will need to be tested and effective follow-up remedial activities will need to take place.

ICT third party risk management: Contracts in place with third party technology providers may need to be varied to comply with DORA. Unlike other regulatory regimes, consideration will need to be given to both arrangements that are usually classified as outsourcing and those that are not.

While some technology providers will be familiar with outsourcing regulatory requirements, DORA may be new ground for data and other ICT providers usually considered purchasing. A detailed level of understanding of DORA’s requirements will help address the concerns of these suppliers.

Information and Intelligence Sharing: There is also opportunity for financial institutions to consider engaging in greater threat intelligence sharing with other financial institutions. DORA envisions a “trusted community of financial entities” through membership arrangements that enable the sharing of information and potentially also the involvement of technology providers and regulatory authorities.

4. Implement DORA

A starting point will be to select a framework suited to systematically implementing DORA’s requirements. This framework should allow for all obligations to be accurately identified and for a gap analysis to be conducted which can be translated into specific tasks. Sub-projects may then be designed to address each pillar of DORA.

It is important, however, that a flexible approach be taken to implementation, as further rules in the form of regulatory technical standards (RTS) will be released at a later date during the two-year implementation window.

But that is no reason to delay – the two-year window will go by very quickly if work is not started soon.