Deciphering DORA

EU operational resiliency

Hello everyone and welcome to the latest edition of GreySpark Insights.

Please do not hesitate to contact us with any questions or comments you may have. We are always happy to elaborate on the wider implications of these headlines from our unique capital markets consultative perspective. Happy reading!

---

Image: Northdoor

On 27 December 2022, the EU published the Digital Operational Resilience Act (DORA), setting a comprehensive list of digital operational resiliency rules for EU-based financial institutions. DORA entered into force on January 16, 2023, with full compliance becoming mandatory from January 17, 2025. To be clear, DORA applies to the EU’s financial sector, including financial firms such as banks, investment firms, and crypto-asset service providers. Additionally, DORA applies to third-party service providers (i.e., providers of ICT services to financial entities) designated as ‘critical.’ Generally, DORA aims to mitigate the risks of increasing reliance on digital systems for operations. Its main objective is to help financial institutions withstand, respond and recover from ICT incidents, thereby ensuring the delivery of critical functions, and reduce disruption for customers and the wider financial system during times of adversity.

Before DORA, EU-based financial institutions were faced with a patchwork of operational resiliency regulations, spread across different frameworks such as CRD IV, PSD2, Solvency II, EMIR and MIFID, with local requirements also overseen by several different bodies. Generally, this patchwork created ambiguous, generalist principles rather than specific technical standards, making it difficult for financial institutions to create compliant, robust operational resiliency models. At the same time, the fragmented regulations ultimately meant that post-financial crisis reforms did not fully address digital operational resilience as intended, with financial institutions still vulnerable to operational risk-related events.

However, the arrival of DORA, which was first proposed in September 2020, finally created a universal framework for managing and mitigating ICT risk in the financial sector. In light of recent black swan events, such as the Coronavirus pandemic and the Silicon Valley Bank collapse, the importance of achieving operational resiliency cannot be downplayed. In truth, DORA has arrived at an opportune moment in a world that continues to face uncertainties, especially in terms of digital transformation (i.e., the rise to prominence of AI), and heightened geopolitical risk.

Specifically, DORA sets rules on ICT resilience for financial institutions and their third-party ICT service providers across five pillars:

1. ICT risk management - refers to the implementation of a risk management framework, covering identification, protection and prevention, detection, response and recovery, learning and evolving, and crisis communication. The management body of a financial entity is required to define, oversee and be accountable for the implementation of ICT risk management frameworks.

2. ICT-related incident reporting - financial institutions are required to implement a standardised incident management process, including detection, classification, reporting and notification of ICT-related incidents. Incidents reported as ‘major’ incidents will have to be reported to the regulator within the same business day.

3. Digital operational resilience testing - financial institutions need to put a comprehensive testing programme in place that includes ICT, people and processes, with a focus on technical testing. Large-scale threat-lead live tests are to be performed every three years, by means of threat-led penetration testing.

4. ICT third-party risk - financial institutions must conduct due diligence and assess the resilience of their third-party service providers. Before entering a contract, financial institutions will need to assess third-party vendors against certain criteria, such as security level, concentration risk and sub-outsourcing risks. DORA also contains guidelines for contract contents and reasons for termination of a contract.

5. Information sharing - financial institutions may exchange information and intelligence on cyber threats between themselves, enabling them to be better prepared for these threats.

Generally speaking, DORA is expected to have a significant impact on in-scope firms’ governance structures and operational processes. While some of the biggest and most sophisticated financial services firms’ are already likely to have intricate ICT systems and procedures in place, conducting their review and adaptation to DORA’s standards is likely to be a complex task. For instance, scenario testing is currently a core focus for in-scope financial institutions. However, with some third-party vendors opting not to partake in these scenario testing exercises, scenario testing isn’t always a smooth process. As GreySpark will reveal in the coming weeks, there is a way for in-scope firms to successfully conduct scenario testing as the 2025 DORA deadline approaches.

If you have any questions about the DORA regulation specifically, please post them in the comments section below.