Examining the Impact of EU’s DORA Regulation on Financial Organizations
Financial organizations operating within the European Union (EU) face a patchwork of local regulations for individual member states, which complicates their compliance initiatives. As a solution, the Digital Operations Resilience Act (DORA) is a single regulation that applies universally to all financial organizations operating in the EU and supersedes the older local regulations. In this blog post, we take a deep dive into DORA to evaluate its impact on financial organizations and discuss how to begin your approach toward compliance.
Preparations are Happening Now
Financial organizations should be working now on developing their information communication technology (ICT) governance, risk and compliance plan for meeting the DORA regulations. Enforcement of DORA’s regulations begins on January 17, 2025. Financial organizations were given a period of 24 months to prepare for DORA compliance and that clock started running on January 17, 2023.
Why DORA?
The goal of DORA is to provide a transparent way to ensure operational resilience by empowering EU regulators and financial organizations with applicable ICT controls and planning. The foundation ensures the maintainability of resilient operations through an incident of severe operational disruption, caused by growing ICT complexity (e.g., cloud service providers and cyberthreat risks). The need for DORA regulation stems from the increasing reliance of the financial market on ICT and the growing complexity of financial services.
What Does DORA Compliance Necessitate?
DORA regulatory requirements are wide scoping, covering many ICT activities that impact financial organizations. It’s a seismic shift from guaranteeing your organization’s own financial resilience through “self-responsibility” to having a transparent plan structured around EU regulations criteria with reporting and accountability to the EU regulators. This poses a large impact on business and has many implications for risk strategy.
Establishing an ICT Risk Management Framework
DORA requires financial entities operating within the EU to establish their own ICT risk management framework. There is a wide scope of financial entities subject to the new rules and it includes critical ICT-service providers, such as cloud platforms or data analytics. DORA specifies uniform requirements for the security of network and information systems for organizations operating within the financial sector. Requirements include reporting related incidents and operational resilience testing. Critical third-party ICT service providers must establish a subsidiary within the EU to enable regulatory oversight. Non-complying providers can expect significant fines. Though statutory auditors and audit firms are within the scope of proposal, the European Council confirmed auditors will not be subject.
Ensuring ICT Risk Management
There must be strong board-level involvement with all relevant aspects of ICT in the risk management framework to provide clarity and transparency. Organizations must have a resource plan and identify all documents relevant to their ICT risk environment. It’s about protection and prevention, and that involves analyzing the existing and future ICT monitoring controls and providing a security roadmap. Organizations must implement a mechanism for detection and evaluation of anomalous ICT activity. Equally important is having countermeasures and recovery plans for incidents, so you must update continuity strategies, including responses and recoveries to ICT incidents. There’s an important communication element that requires implementation of incident, event and crisis management with a transparent communication plan.
Reporting Your ICT-Related Incidents
Although regulatory reporting of ICT-related incidents is something you’re already doing, the DORA regulations do impact all prior organizational management, classification and reporting you have in place. They require implementation of incident processes based on the assessed ICT environment. It requires transparency of ICT incidents that are occurring and classification of incidents using the European Supervisory Authority’s (ESA) criteria. It requires implementing an incident escalation process and includes reporting.
Testing Your Digital Operational Stability
General requirements include establishing an operational compliance readiness resilience program with consistent assessment of your ICT environment and implementation of the required tools. It requires conducting regular penetration tests using comprehensive tools and techniques, aligned with ESA criteria.
Managing Risks of Your Third-Party ICT Providers
The general principles necessary include assessing vulnerabilities, applying risk management considering third-party provider’s environments and evaluate their security maturity level. You must specify a strategic roadmap that defines responsibilities. Implementation of a compliant ICT environment for third parties involves documenting responsibilities and controls, reviews, external review readiness and contractual topics, such as having an exit strategy.
You must establish an ICT risk and sub-outsourcing arrangement assessment. Review relevant third-party contracts, establish consistent contractual agreements, including services and managing contractual risks, to incorporate substitution aspects, dependencies, risks linked with new technologies and cyber risks. You must specify consistent and transparent contractual agreements with third parties, compliant with legislation, like cross-border transfer.
Updating Information Sharing Agreements
DORA establishes a cyber threat exchange which shares threats. You must establish a consistent and updated cybersecurity ICT environment, by implementing protection measures, controls and procedures, including monitoring based on advanced techniques and reporting of cyberattacks.
Developing a Successful Plan to Address DORA Regulations
The wide scope of DORA requirements and its emphasis on all organizational ICT components can cause a significant challenge for businesses. The build-up of the risk management framework is the responsibility of the second line of defense (LoD), accountable by business management and C-level staff, and often supported by management consultancy companies or one of the big four accounting firms. All the staff likely lack the required ICT practical knowledge and experience to accomplish this. Reviewing and updating all contracts with third-party providers is a lengthy legal process, and requires:
- Certificates proving security management (ISMS ISO27001) or effectiveness of controls (ISAE 3402, type II)
- Financial organization to embed the third parties into its risk management framework.
Three Major Aspects Easing DORA Compliance Implementation
1. The ICT Environment Factors
The DORA compliance requirements can be approached in an effective way when an organization can establish a relation model based on the following five ICT factors:
I. Confidentiality/security
II. Integrity of data
III. Availability of data
IV. Authorization and access control management
V. Data classification and categorization.
The organization must then implement management of related controls consistently in an ICT environment, IT, business optimization or transformation projects transparently.
2. DORA Focuses on Critical Environments
Though the scope of regulatory requirements is wide, the specified focus on financial organization’s critical functionalities, processes, services, and includes third-party providers and their underlying ICT environment, which significantly narrows the volume of compliance activities.
It should be emphasized that a restricted number of critical functions per organization can be assumed, since the focus is not on achieving the business goals of an institution, but on their orderly resilience and business continuity.
3. Effective Approach to Achieve DORA Compliance
The focus on an organization’s critical functions enables an effective approach to achieve DORA compliance:
• The first step is to identify which functions are necessary for the resilience and continuity of organization including activities on financial market
• The following steps are an analysis of business-critical processes and their dependencies on the ICT: IT processes, applications, systems and infrastructure
• The top-down approach leads automatically to detection of critical parts third-party provider services, which enables targeting on relevant parts of contracts to be updated and services to be made resilient
Critical Success Factors: ICT-Risks versus Operational-Risks
Ensuring the operational resilience of an organization requires incorporating IT and security risks into your existing risk management framework. This is critical as the DORA regulations state: “evaluation, measurement and mapping of IT and security risks into operational risks are the basis for build of transparent DORA compliance” and the adequacy and quality of which your organization’s IT and its IT security risks in the business context is important.
The risk transparency for management and second LoD is achievable in two steps:
1. Consistent specification of key risk indicators (KRI) and key performance indicators (KPI) for all ICT critical functions including the administrative, technical and infrastructure controls on a measurable basis (quantity and quality types)
2. Categorize the ICT metrics into the existing risk management organization metrics with applicable classifications (financial, maturity, modeling and cost analysis)
After completing the above steps, the accountable management obtains a comprehensive operational risk overview, enabling them to define risk appetite, capacity and tolerance.
Conclusion
The future of our financial markets relies on a common and transparent regulatory system. DORA aims to establish a comprehensive, cross-sectoral digital operational resilience framework with rules for all regulated financial institutions. It’s a right step in the right direction.
Going forward, banks, stock exchanges, clearing houses, FinTech companies, wealth management organizations and insurance companies together with their ICT service providers will have to adhere to these strict standards to prevent and limit the impact of ICT-related risks and ensure stability of financial markets.
All future IT innovations can only be utilized effectively under the transparently established standardized compliance regulations.