Promoting secure information sharing and managing ICT risks: Key requirements for DORA compliance
The financial sector is increasingly dependent on technology and tech companies to deliver financial services, which makes financial entities vulnerable to cyber-attacks or incidents. When not managed properly, information and communication technology (ICT) risks can lead to disruptions of financial services offered across borders. This can have an impact on other companies, sectors and even on the rest of the economy, which underlines the importance of the digital operational resilience of the financial sector.
To deal with this, the EU introduced the Digital Operational Resilience Act (DORA). DORA's aim is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms and ICT third party service providers. The Act entered into force on 16 January 2023 and will apply as of 17 January 2025.
What is the Digital Operational Resilience Act (DORA), and what are the Act's requirements?
DORA is a comprehensive regulatory framework proposed by the European Commission. It seeks to establish a harmonized approach to operational resilience across the European Union (EU). By setting clear expectations for operational resilience, DORA aims to protect consumers, maintain financial stability, and ensure the smooth functioning of digital services.
The Act introduces stringent requirements for firms to manage and mitigate risks related to their digital operations. These include ICT risk management, incident reporting, digital operational resilience testing and more.
Key compliance requirements
Below are DORA's specific requirements, organized into several key components:
- ICT risk management: Firms must establish robust risk management frameworks that align with DORA's requirements and a control function to oversee ICT risk,
- Managing ICT third-party risks: DORA introduces the requirement for financial entities to manage ICT third party risk as an integral component of ICT risk within their ICT risk management framework. The management body must regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions. The regulation will also implement an oversight framework for critical ICT third-party service providers; these will be designated by the European Supervisory Agencies (ESAs). This potentially extends the scope of DORA beyond outsourcing arrangements to encompass a broad range of IT-related services procured by financial services entities.
- Reporting of ICT-related incidents: Firms are obligated to promptly report any major ICT-related incidents. The ESAs are developing technical standards to specify the criteria for classifying ICT incidents, materiality thresholds for major incidents, and significant cyber threats.
- Testing of digital operational resilience: DORA mandates regular testing of digital operational resilience. The ESAs are working on technical standards to provide further details on advanced testing of ICT tools, systems, and processes through threat-led penetration testing (TLPT). These standards will also outline the criteria for identifying financial entities required to perform TLPT.
- Information sharing: DORA encourages information sharing among financial entities to foster a collaborative approach to managing digital operational risks. Organizations can collectively enhance their resilience and response capabilities by sharing insights and best practices.
These components form the foundation of DORA, ensuring that financial entities prioritize operational resilience and take proactive measures to mitigate ICT risks. However, as with any regulation, it poses several challenges for organizations to overcome to be fully compliant.
Challenges of complying with DORA
In order to navigate the requirements and expectations of DORA effectively, financial entities must approach compliance with a strategic mindset. This entails taking a proactive approach to compliance and fully understanding the regulation and its requirements.
- Complexity: DORA encompasses a wide range of requirements and expectations, spanning multiple areas such as risk management, third-party risk, incident reporting, testing, information sharing and more. Each of these components requires careful consideration and implementation to ensure compliance. By starting early, financial entities can allocate sufficient time and resources to thoroughly understand the intricacies of DORA and develop a comprehensive compliance strategy.
- Adapting governance structures to align with successful operational resilience: Adapting governance structures involves reviewing and potentially revising existing policies, procedures, and decision-making frameworks to align with DORA's requirements. This may include establishing clear lines of responsibility and accountability for operational resilience, defining roles and responsibilities, and implementing robust reporting mechanisms to ensure ongoing compliance. It is crucial to integrate DORA compliance into existing governance frameworks, such as risk management and business continuity, to create a holistic approach to operational resilience.
- Identifying connections with current and upcoming regulations: DORA does not exist in isolation; it intersects with other existing and upcoming regulations (NIS2, GDPR, MiFID II, PSD3, PSR, Digital Services Act, Digital Markets Act), creating a complex regulatory landscape. Understanding these interconnections is essential for ensuring effective compliance and avoiding duplication of efforts.
- Promoting information sharing on cyber threats: One of the primary challenges in information sharing is striking the right balance between sharing enough information to be useful for others while protecting sensitive data. Financial entities must ensure that any shared information is appropriately anonymized and aggregated to prevent the identification of specific individuals or organizations. This helps protect the privacy and confidentiality of the parties involved.
- Reviewing relationships with ICT service providers: DORA mandates that financial entities manage risks associated with their ICT service providers. This includes conducting due diligence, updating contractual agreements, and establishing ongoing monitoring mechanisms, which — when done manually — can take significant resources to conduct properly.
- Regularly testing resilience capabilities: Ongoing compliance with DORA necessitates regular testing to ensure the maintenance of resilience capabilities.
- Developing a culture of operational resilience: Developing a culture of operational resilience isn't easy, but it's crucial to ensure that resilience becomes ingrained in the organization's values, mindset and day-to-day operations.
Complying with DORA takes a proactive approach, technology can help
DORA represents a significant regulatory change that businesses must navigate to thrive in the digital age. By proactively adapting to DORA's requirements, organizations can foster transparency, sustainability, and responsible innovation. Compliance with DORA not only mitigates risks but also presents opportunities for growth and competitive advantage.
The right technology can help you streamline processes to get a head start on your DORA compliance initiatives.
Discover more about how Diligent can help your organization comply with DORA and other connected regulations by scheduling a demo today.
