What does DORA mean for the finance industry?
What is DORA, and what will the impact be on the finance industry? Claire Agutter explains the new DORA regulations.
DORA is a significant development in EU financial regulation – the Digital Operational Resilience Act (DORA) – Regulation (EU) 2022/2554. This groundbreaking regulation aims to revolutionise financial institutions’ operational risk management, specifically focusing on the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents. But, DORA will also significantly impact businesses beyond the financial sector.
“Claire Agutter, director at Scopism, says “The are clear synergies between an operating model based on sound service integration and management and compliance with DORA. Organizations that have adopted SIAM will have a clear understanding of their third-party agreements that will fall within the scope of the act, and where their dependencies lie.”
DORA addresses a crucial gap in managing operational risk for financial institutions, focusing on the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents. DORA is binding and directly applicable in all EU Member States as a Regulation, not a Directive.
The watchdog organisation, Which? has warned about the consequences of transitioning to digital payments, highlighting that many financial institutions report failures and outages daily. While major outages like TSB have gained attention in the news, which emphasises that this is a daily occurring issue and urges consumers to be cautious, and the new DORA regulations should help financial institutions to minimise the risk of hefty fines, over £49m in TSB’s case.
Financial institutions previously managed operational risk before DORA mainly through capital allocation, but this did not comprehensively cover all components of operational resilience. DORA introduces rules for managing ICT risk, incident reporting, functional resilience testing, and third-party risk monitoring. It acknowledges that ICT incidents and a lack of operational resilience can jeopardise the stability of the entire financial system.
DORA establishes uniform requirements for the security of networks and information systems supporting the business processes of financial entities. Its scope extends beyond traditional financial institutions, encompassing non-traditional entities like crypto-asset service providers and crowdfunding platforms. Third-party service providers like cloud and data centres are also brought under the regulatory umbrella. DORA sets a deadline of January 17, 2025, for compliance, necessitating a strategic and timely approach for businesses to align with the new standards. But the question many have is, where do I start? Here are six practical steps for DORA Compliance:
- ICT Risk Management:
DORA places the responsibility on the management body of entities to define and execute appropriate ICT risk management strategies actively. Continuous risk assessments, cyber threat identification, and comprehensive frameworks are essential. As regulatory technical standards (RTS) are still being developed, businesses should stay informed and be prepared to align with forthcoming guidelines.
- Incident Reporting:
Covered entities must establish systems for monitoring, managing, logging, classifying, and reporting ICT-related incidents. The severity of incidents will dictate the necessity for reporting to regulators and affected parties. As rules on incident classification and reporting timelines are still pending, businesses should remain agile to adapt their incident reporting procedures accordingly.
- Conducting tests:
Regular testing of ICT systems is a core requirement under DORA. Basic tests, vulnerability assessments, and scenario-based testing should be conducted annually. Financial entities with a critical role in the financial system must undergo threat-led penetration testing (TLPT) every three years. While technical standards for TLPTs are forthcoming, businesses should prepare for comprehensive testing to validate their systems’ resilience.
- Monitoring:
One distinctive aspect of DORA is its extension to ICT providers servicing the financial sector. Financial entities must actively manage third-party ICT risk, negotiate specific contractual arrangements, and map dependencies. The European Commission is exploring standardised contractual clauses to facilitate compliance. Financial institutions must ensure their critical functions are not overly concentrated with a single provider, preparing for direct oversight from relevant ESAs for critical third-party service providers.
- Information:
The evolving landscape of DORA requires businesses to stay informed about developments from European Supervisory Authorities (ESAs). Engagement with ESAs will be crucial for understanding and implementing regulatory technical standards (RTS) and implementing technical standards (ITS) once finalised.
- Directive NIS 2:
DORA’s intersection with the Network and Information Systems Directive (NIS 2) adds another layer of complexity. Businesses should proactively understand and navigate the relationship between DORA and NIS 2, ensuring compliance with both frameworks.
Businesses must be compliant and swiftly adapt as DORA reshapes the regulatory framework for ICT risk management. The collaborative efforts of financial entities, ICT providers, and regulatory bodies will play a pivotal role in fortifying the resilience of the entire financial system. By incorporating the practical tips outlined above, businesses can meet the new requirements, enhance their overall operational resilience, and minimise the risk of hefty financial fines in a rapidly evolving digital landscape. Want to find out more? Join our community for discussions about DORA.
About Claire Agutter
Claire Agutter has extensive experience in service management, spanning over 20 years. As an experienced service management trainer, consultant and author, Claire founded Scopism and is the publisher of the SIAM Foundation and Professional BoKs. Claire specialises in helping organisations get value for money from their IT investment and was nominated by Computer Weekly as one of the most influential women in tech. Claire also hosts the popular ITSM Crowd YouTube channel and is the Chief Architect for VeriSM.
