Digital Operational Resilience (DORA): deciphering European regulations

DORA is a European Union regulation on the operational resilience of digital systems in the financial sector.

It will come into force at the beginning of 2023, and will apply to all EU member states from 2025.

DORA's main objective is to shape a competitive, innovative, secure and stable European financial sector.

On 10 November 2022, the European Parliament adopted the proposal for a regulation on the operational resilience of digital systems in the financial sector, known as the Digital Operational Resilience Act (DORA). This agreement establishes a specific framework to strengthen resilience and deal with the growing number of new challenges. Published in the Official Journal of the EU (OJEU) on 27 December 2022, the regulation came into force at the beginning of 2023 and will apply to all 27 EU Member States from 2025. But what are the implications for the financial sector and why does the industry need to comply with this new EU regulation?

DORA: Regulatory context and strategic objectives

What is the regulatory context?

The Digital Operational Resilience Act (DORA) for the financial sector is an Act of the European Parliament designed to establish uniform requirements for achieving a high level of digital operational resilience.

What is operational resilience? Why DORA?

Digital operational resilience is the ability of businesses to maintain their operational integrity in the face of ICT-related disruptions. DORA, an EU regulation, establishes a normative framework for digital operational resilience, unifying the rules for all regulated financial institutions. It represents the first legislative consolidation of common rules on ICT-related risks in the financial sector. In addition, DORA introduces an EU-wide supervisory framework for third-party ICT service providers deemed "critical" to financial entities, thus ensuring adequate European supervision.

What are DORA's objectives?

The aim of DORA is to provide a clearer basis for EU financial regulators and supervisors to extend their role. As well as ensuring that companies are financially resilient, DORA aims to ensure that they also maintain robust operations in the event of a major disruption to their IT systems. The aim of this initiative is to shape a competitive European financial sector, offering consumers access to innovative and secure financial products, while ensuring overall financial stability. A key feature of DORA is its ability to identify potential gaps and then integrate remedial actions into entities' digital programmes.

The impact of DORA on businesses, particularly in the financial sector, is therefore expected to be significant. This legislation establishes a crucial framework by virtue of strengthening digital operational resilience, ensuring that financial entities can effectively withstand the disruptions associated with information technology and the increasing interconnection among players. At RSM our role is to support regulated firms in the implementation of DORA, ensuring that they remain competitive, innovative and able to maintain financial stability in the continuity of their regulatory compliance. RSM helps and advises a wide range of private and public sector players to improve their cyber security posture and implement the work necessary to comply with the requirements and principles for DORA, including the following services:

Implementation of ISMS (ISO 27001),
Security audits,
Training and awareness-raising,
Information management and security,
Assessment of incident management maturity,
Intrusion testing
...

What are the 5 pillars of digital operational resilience?

DORA aims to simplify and update ICT risk management rules. This includes a focus on incident reporting, digital operational resilience testing, information sharing and third-party supply chain risk management. The main objective is to assess any gaps and include remediation actions in their own digital programmes. The key requirements and considerations within DORA are summarised under five main themes:

1 - ICT risk management

DORA requires the implementation of a comprehensive IT risk management framework, which is fundamental to strengthening the resilience of financial organisations. It is the responsibility of the management body to take ultimate responsibility for ICT risk management within the financial entity. As an example, the creation of a coherent governance and control framework is a concrete initiative to ensure that ICT risks are managed effectively. Integrated into an overall risk management framework, it forms part of a digital operational resilience strategy.

2 - Information sharing systems

To raise awareness of the growing risks associated with ICT and limit their impact, while at the same time supporting entities' defence capabilities, the regulation proposes that entities put in place systems for exchanging information between themselves on cyber attacks and other cyber threats, as well as intelligence via dedicated IT platforms.

3 - Managing the risks associated with third-party ICT service providers

Inspired by national, international and industry standards, directives and recommendations, the requirements are based on specific ICT risk management functions:

Identification,
Protection and prevention,
Detection,
Response and recovery,
Learning,
Evolution and communication.

In order to be resilient in the face of ICT-related risks, finance companies need to have a documented, robust and comprehensive process that takes into account all the external factors that could bring their business to a halt over the long term.

4 - Digital operational resilience test

DORA describes the requirement to implement a proportionate, risk-based programme of digital operational resilience testing as an integral part of the risk management framework. The programme includes the execution of a full range of appropriate tests, such as vulnerability assessments and scans, open source scans and network security assessments to address threats.

5 - Management, classification and reporting of ICT incidents

The introduction of a uniform incident reporting mechanism is intended to reduce the administrative burden on financial entities, thereby enhancing the effectiveness of supervision. This report follows a standardised model and a harmonised procedure for optimal processing: detecting, managing and reporting ICT incidents. Major incidents must be reported to members of management and its various bodies, as well as to the competent authorities. This reporting will be based on a common template, to be defined by the ESA (European Supervisory Authority). Entities will also be able to report advanced cyber threats on a voluntary basis.

In conclusion, the key themes addressed by this regulation, such as governance, information sharing, third-party cyber risk management, operational resilience testing and incident reporting, are the pillars of the regulation and demonstrate the importance attached to building a resilient and secure digital infrastructure. Within RSM, you will find proposed solutions for each area.

The European legislator's concept of operational resilience thus emphasises the need to change the way businesses approach operational risk management, from an approach focused on preventing risks and limiting losses to a more global and proactive approach. The European legislator has understood that even the least likely incidents can occur, and that we need to be ready to deal with them and ensure the continuity of critical or important activities and services.

How will DORA impact organisations?

Which entities are concerned?

The DORA rules are intended to cover a very wide range of companies in the finance sector, as well as ICT service providers operating within the European Union, who will have to meet requirements applied proportionately according to the size and profile of the company. The following is a non-exhaustive list of the entities affected by DORA:

Credit institutions
Payment and electronic money institutions
Crypto-asset service providers
Central depositories
Trading platforms
Investment fund managers and management companies
IT service providers
Insurance and reinsurance companies and intermediaries
Pension funds
Rating agencies
Statutory auditors and audit firms
Administrators of critical benchmarks
...

DORA is therefore aimed at a very broad group of users and defines a uniform framework integrating banks, insurance companies, payment service providers and other players in the financial sector. Only 'micro-enterprises' with fewer than 10 employees and an annual turnover of €2 million are exempt.

What are the key dates to remember?

With direct application from 17 January 2025, the regulation harmonises European standards for all EU Member States.
It should be noted that a directive (2022/2556) accompanies this regulation by incorporating references within the existing EU legislative framework, including CRD IV, DSP2, BRRD, Solvency 2, IORP2, MiFID 2 and AIFM, among others. It will have to be transposed by Member States by 17 January 2025.

To anticipate these changes, the market players and ICT service providers concerned should start preparing internally now, by assessing the operational and strategic impacts of these new regulations, and putting in place an appropriate policy.
To facilitate this transition, the European Commission will publish a set of regulatory technical and implementation standards (RTS and ITS) in collaboration with the European supervisory authorities (EBA, EIOPA, ESMA). The RTS and ITS will be published in two stages, the first part in January 2024 and the second in July 2024.

Below is a diagram of the various phases involved in adopting DORA:

In conclusion, the key themes applicable to this regulation, such as governance, information and data sharing, third-party risk management, operational resilience testing, and incident reporting processes, demonstrate the importance placed on building a resilient and secure digital infrastructure.