09 Apr Are you Ready for the Digital Operational Resilience Act?
The increased use of cloud services has posed a challenge to firms and regulators since many of the market participants are based out of country. To ensure that organisations remain robust the solution in Europe is DORA, part of a suite of new regulations impacting the European markets.
The Digital Operational Resilience Act, known as DORA came into force on 16 January 2023 and fully applies from 17 January 2025. It strengthens IT security to ensure that financial institutions in Europe will be able to survive a severe operational disruption.
In particular it addresses the following:
- ICT Risk Management
- ICT Third-Party Risk Management
- Digital Operational Resilience Testing
- ICT related incidents
- Information sharing
- Oversight of critical third-party providers
Who is Covered by DORA?
Financial entities covered by the Regulation include:
- credit institutions;
- payment institutions
- account information service providers;
- electronic money institutions
- investment firms;
- crypto-asset service providers
- issuers of asset-referenced tokens;
- central securities depositories;
- central counterparties;
- trading venues;
- trade repositories;
- managers of alternative investment funds;
- management companies;
- data reporting service providers;
- insurance and reinsurance undertakings;
- insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries;
- institutions for occupational retirement provision;
- credit rating agencies;
- administrators of critical benchmarks;
- crowdfunding service providers;
- securitisation repositories;
- ICT third-party service providers.
There are some exceptions available which prevent the risk of duplicate regulation.
Controlling ICT Risk
Information and Communications Technology or ICT is critical for any firm. The Regulations state:
“In order to maintain full control over ICT risk, financial entities need to have comprehensive capabilities to enable a strong and effective ICT risk management, as well as specific mechanisms and policies for handling all ICT-related incidents and for reporting major ICT-related incidents. Likewise, financial entities should have policies in place for the testing of ICT systems, controls and processes, as well as for managing ICT third-party risk.”
What is Digital Operational Resilience?
Digital operational resilience’ is defined as “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.”
As you can see from the definition the scope of the regulation is extremely broad and most firms in the financial markets will be impacted by these important regulations.
The Digital Risk Management Framework
Firms that are impacted by DORA need to have a well-documented ICT risk management framework, approved by their governing body. This needs to at least include the following elements:
- ICT strategies,
- ICT policies and procedures,
- ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets
These assets include
- computer software,
- computer hardware and servers,
- all relevant physical components and infrastructures
- premises,
- data centres and
- sensitive designated areas,
The intention is to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage.
The digital operational resilience strategy must include
a) explain how the ICT risk management framework supports the financial entity’s business strategy and objectives;
b) establish the risk tolerance level for ICT risk, in accordance with the risk appetite of the financial entity, and analysing the impact tolerance for ICT disruptions;
(c) setting out clear information security objectives, including key performance indicators and key risk metrics;
(d) explaining the ICT reference architecture and any changes needed to reach specific business objectives;
(e) outlining the different mechanisms put in place to detect ICT-related incidents, prevent their impact and provide protection from it;
(f) evidencing the current digital operational resilience situation on the basis of the number of major ICT-related incidents reported and the effectiveness of preventive measures;
(g) implementing digital operational resilience testing
(h) outlining a communication strategy in the event of ICT-related incidents the disclosure of which is required
For many institutions this represents a major change to the way that their risk management framework operates. The regulations provide detailed guidance on many of these points and additional clarification has been provided by other European agencies as well as local regulators in individual jurisdictions.
There is not a lot of time to get all of these changes implemented, so firms need to start immediately undertaking the primary gap analysis against these requirements.
Whilst there is much important guidance within the DORA, in this brief article we will only raise one further issue, the testing regime that is required. Indeed generally testing of systems has not received detailed specific regulations previously within Europe, so this does represent a departure.
Digital Resilience Testing
It is without doubt that DORA is anticipating that firms will implement a much greater testing environment for digital operational resilience. To date many firms have taken an approach that digital technology falls within the mainstream of testing. These Regulations make it clear that the expectation is that more testing should be conducted in the digital area that has generally been the case to date.
The Regulations explicitly refer to firms conducting:
- vulnerability assessments and scans,
- open source analyses,
- network security assessments,
- gap analyses,
- physical security reviews,
- questionnaires and scanning software solutions,
- source code reviews where feasible,
- scenario-based tests,
- compatibility testing,
- performance testing,
- end-to-end testing and
- penetration testing
What will be conducted within a firm will be commensurate with the firm’s size and complexity and the Regulations do include guidance for what might be termed as lower risk or smaller organisations.
What do you Need to Do?
All firms in the financial services industry need to really understand the impact that DORA will have on them and the industry. Since there are specific requirements for Third Party Service Providers and others engaged in the industry, their continued participation cannot be guaranteed.
The intention of resilience regulation is to ensure that the firm is still able to provide critical services if an operational event occurs impacting performance, include cyberattacks. Firms need to interpret the Regulations within their operational context and undertake a suitable gap analysis. Ideally this should be either undertaken by or reviewed by a independent firm.
All staff need to have increased awareness of operational resilience particularly in the Digital areas and DORA awareness need to increase. Implementing both structured training and centres of excellence will be critical to successfully navigating this complex and fast changing area.
Dennis Cox
CEO, Risk Reward Limited
A Knowledge as a Service company
