DORA Deadline Draws Nearer
All hands to the pump for EU financial firms seeking regulatory compliance
In exactly four months time, EU-based financial firms and their critical ICT service providers must establish or amend policies, processes or procedures to meet the requirements of the digital operational resilience act (DORA). DORA has been in effect since December 14, 2022, with its main objective of strengthening operational resilience and, more specifically, help financial firms withstand, respond and recover from ICT incidents.
The arrival of DORA has created a comprehensive regulatory regime that is tailored specifically to operational resilience, helping provide protections against black swan events seen this decade such as the Coronavirus pandemic and the Silicon Valley Bank collapse. The DORA regulation is unchartered territory for EU financial firms, which have become accustomed to a patchwork of operational resiliency regulations, spread across different frameworks such as CRD IV, PSD2, Solvency II, EMIR and MIFID, with local requirements also overseen by several different bodies.
As such, the transition period to DORA for EU financial firms has presented several challenges and uncertainties, with a likelihood that not all firms will achieve compliance ahead of the January 2025 deadline. The main challenge is that the five requirements of DORA, outlined below, require deep evaluation and modification of a firm’s business processes:
ICT Risk Management - Financial firms will be required to create and follow an ICT risk management framework that supports a business continuity strategy, disaster recovery policies, and communication strategies (i..e, between management and stakeholders). The management team of a financial firm is required to define, approve and be accountable for the implementation and management of ICT-related risk frameworks. All sources of ICT risk should be continuously identified, with ICT systems set up so that the impact of ICT risks are minimised as much as possible.
ICT-related Incident Reporting - Financial firms are required to implement a management process to monitor and log ICT-related incidents in rapid time. The incidents must be classified and reported using a common template approved by regulators. Under DORA requirements, an incident should be reported within four hours of classification or no later than 24 hours from the time of detection.
Digital Operational Resilience Testing - One of DORA’s requirements is for in-scope firms to perform digital operational resilience testing. This involves running simulations of a physical environment in a virtual environment using real-time data. Due to the requirement for firms to carry out business impact analyses based on ‘severe business disruption’ and increasingly complex scenarios, supervisory pressure on firms to develop more sophisticated scenario testing methods is likely to be increased. Financial firms must establish their own procedures to prioritise, classify and remedy all and any issues or deficiencies revealed through the performance of the tests. GreySpark’s opinion is that achieving the appropriate level of scenario testing sophistication and precision required under the terms of DORA is likely to only be possible using AI technology and more specifically, digital twin technology. You can find out more about this here.
ICT Third-party Risk - DORA emphasises rigorous third-party risk management, demanding careful vetting and ongoing monitoring of the cyber practices of external providers. In particular, financial firms must ensure that contracts with ICT third-parties contain full visibility, such as an indication of what location sensitive data is being stored in. Arrangements with third-parties should cover important functions, such as data protection, audits and incident management. Firms must also map out all of their third-party dependencies. European regulators will monitor the compliance of critical ICT third-parties through both on-site and off-site inspections.
Information Sharing - DORA encourages collaboration between in-scope financial firms in order to enhance the digital operational resilience of firms, raise awareness on ICT risks, minimise the risk of market contagion stemming from an ICT disaster and identify cyber threats.
Largely, it is the prerogative of the firm as to how these standards are achieved, with implementation of best-practices often requiring specialist expertise. However, across each requirement, GreySpark has identified some best practices in-scope firms can take to meet the DORA requirements.
On ICT risk management - Conducting gap analysis of existing ICT risk management and governance practices and mobilising resources to help address deficiencies as soon as possible. Firms should establish a risk management framework that covers identification, protection and prevention, detection, response and recovery, learning and evolving, and crisis communication. In addition, improving firm-wide ICT security awareness training of these ICT risks is essential, with the management body driving this initiative.
On incident reporting - In delivering a DORA-standard incident reporting framework, there are three areas that in-scope firms should target; incident management, data management and cybersecurity. Take a look at our 8 May 2024 post for more information on this. Generally, a firm should currently assess whether it is capable of detecting near-miss incidents and should consider whether it is capable of reporting significant incidents within 24 hours of occurrence.
On digital operational resilience testing - Understanding the skills and capabilities required to perform digitally-centric operational resilience testing that DORA mandates. Traditional stress testing, which can be clunky and error-prone, will not cut the mustard under DORA, with critical important functions becoming increasingly digitised and complex, thereby warranting more sophisticated scenario testing methods. GreySpark’s opinion is that in-scope firms can only seek to achieve an adequate level of precision in their operational resilience testing by utilising AI technology, and specifically, digital twin technology. A digital twin is an AI-based software model that creates an exact, virtual representation of a real-world entity or process. You can learn more about this here. In-scope firms should give serious consideration to implementing digital twin technology if they are to meet DORA operational resilience testing standards.
On ICT third-party risk - Firms should focus on improving mapping of third-party contracts, documenting and reviewing ongoing third-party vulnerabilities to help track and mitigate potential risks. Having a thorough understanding/breakdown of what role critical third party providers (including cloud service providers) currently have in relation to business operations is imperative to successful DORA compliance. Before using a new critical third-party provider, firms should conduct comprehensive due diligence to evaluate their operational resilience capabilities.
With time ticking towards the DORA implementation deadline, in-scope firms should take stock of their current business processes against the DORA requirements and, at the very least, demonstrate substantial progress, showing awareness of any ‘gaps’ and having a plan in place to close them in the face of regulatory scrutiny.