DORA is a new European regulation aiming to enhance the ICT requirements of financial firms. Priya Prakash looks at the new EU regulation and what you need to consider.
Contents

Cyber security threats have risen as remote work becomes more common within firms. As a result, there has been an increased reliance on third parties to help run businesses, which increases the supply chain risk. The Digital Operational Resilience Act (DORA), which comes into effect in January 2025, looks to improve the existing ICT risk management requirements within firms to ensure there is a shared vision across financial services for cyber protection.

Understanding DORA

DORA aims to ensure technology resistance by establishing a unified digital regulation. Whereas Operational Resilience aims to protect customers and the wider market, DORA provides a framework for firms to improve their ICT risk management and have digital reporting standards in place.

The regulation will provide an EU-wide approach to testing digital operation resilience and outline third party risks management requirements for ICT providers. The long-term aim is to encourage cooperation between firms and prevent substantial harm by cyber attackers.

How to approach DORA

Meeting this standard by the implementation date will demand a review of your internal systems and cyber processes. It is important to assess your operations and how to prepare for implementation.

Governance

The act primarily aims to improve digital risk management at a senior level. Managing this will require implementing an appropriate governing body to oversee digital operational resilience. Assigning individuals across all three lines of defence is also important to oversee the resilience measures and ensure that your framework is up to date.

Firms must also instill the right risk culture. Training schemes can create a better understanding of what to do in the case of disruption. Establishing this culture helps you meet regulatory requirements by providing your team with an overview of your current framework and an understanding of where to make improvements to meet expectations.

ICT supported business function and mapping

You must identify, classify, and document all ICT supported business functions. Your IT functions must reflect the DORA framework, so it is important to map them out correctly, so they align with the EU’s plan. This should also match your internal ICT risk to meet compliance.

Tolerance

You should set an appropriate risk tolerance level of ICT risk and assess your risk appetite. Agreeing these tolerance levels with the regulator beforehand will ensure that these levels are in place.

Vulnerabilities

You should also define your vulnerabilities and risk control implementation. This means keeping track of emerging risks and how they align with your current risk universe to reflect in the Internal Audit plan.

ICT third party providers

You should also rate, monitor, and outline a withdrawal plan for all third-party providers. This means writing a contract that has clauses in place in case of service outage. This should also include an exit strategy with a clear transition plan.

Incident management and reporting

You need to ensure that your data systems meet the requirements of DORA. There are five steps firms need to follow for incident management:

  • Detect – it is important to identify your digital capabilities to understand where to prioritise your efforts
  • Respond – once detected, it will be important to act and mitigate the risk of a cyber threat
  • Investigate – it will be necessary to take an assessment of your systems to understand incidents and what is causing them
  • Remediate – reporting your data will require resolving any issues you identify and how to fix them
  • Recover – getting your systems back up and running will be important to ensure you are well protected and have a plan in place in the event of a cyber incident

All firms will need to review their current operations. Creating a strategy to execute these five steps is important to stay ahead and meet the requirements of DORA.

Our data shows business leaders are optimistic about the year ahead. Find out the key actions for delivering success in 2023.
Building business resilience: how to succeed in 2023
Read this article

Communication, response, and recovery

In the event of an ICT-related incident, you should also create a communication response. This will ensure that there are clear response mechanisms in place in case of outage. Integrating this strategy with your emergency response procedures, incident management and disaster recovery process will also help you meet best practice.

Testing

Strong penetration and scenario testing processes should also be in place. You need to ensure that your firm can stay within pre-set tolerance limits and is prepared for potential issues. Testing will allow you to obtain a strong understanding of your processes to meet best practice.

Lessons learned

You should also complete a plan-do-act-check spiral of discovery. This will require a full investigation into your testing findings to assess the root cause and the ability to establish a remediation plan. In turn, this should give you information for retesting to improve your systems and ensure you are meeting best practice.

Information sharing

You should exchange information by develop training and awareness materials once testing is complete. This will ensure there is collaborative information sharing increase the overall understanding of your operational resilience measures and lessons learned across industry.

Challenges to consider

Implementing DORA will require a review of your current operations, and every firm will have a unique set of requirements to consider. Therefore, it is important to consider a systematic approach to implementation. Meeting compliance will require a review of your internal business operations to understand your tolerance levels and recovery requirements.

It will also be important to have third party assurance to demonstrate your digital resilience. The EU will expect a strong business continuity and recovery plan, so an accurate review of your digital operations is necessary.

DORA will require you to enhance your cyber security framework and address digital resilience risks. It is important to anticipate challenges early to avoid major setbacks and improve your existing framework. Doing this now will ensure you are ready for implementation and help you get ahead of the curve.

For more information, contact Priya Prakash.