On 24 September 2020, the European Commission published the first draft of the Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP). This package involves a digital finance strategy, legislative proposals on crypto assets, blockchain technology, and digital operational resilience, as well as a renewed retail payment strategy.
Once the Act is finalised and implemented towards the end of 2022, it will then be passed into law by each EU member state. The relevant European Supervisory Authorities (ESAs), such as the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA), will then develop technical standards for all financial services institutions to abide by, from banking to insurance to asset management. The respective national competent authorities, such as the Malta Financial Services Authority (MFSA), will take the role of compliance oversight and enforce the regulation as necessary.
What is the objective of DORA?
It is a known fact that the financial sector has increasingly become heavily dependent on ICT and information in a digital form. The COVID-19 crisis also acted as a catalyst, as financial institutions now rely even more on the availability of digital systems to conduct day-to-day operations in a remote fashion. However, this dependency has increased technological and cyber risk exponentially and the last couple of years has shown how much digital resiliency cannot be underestimated.
The EU’s aim with DORA is that of strengthening the financial sector’s resilience to ICT-related incidents and introduces very specific and prescriptive requirements that are homogenous across EU member states. Critical ICT third-parties which provide ICT-related services to financial institutions, such as cloud platforms, data analytics and audit services, are also subject to this new regulation. Organisations need to be able to withstand, respond and recover from the impact of ICT incidents, thereby continuing to deliver critical and important functions and minimising disruption for customers and for the financial system. This is only achievable by establishing robust measures and controls on systems, tools and third parties, by having the right operational continuity plans in place, while testing their effectiveness on a continuous basis.
This act provides a very specific set of criteria, templates and instructions that will shape how financial organisations manage ICT and cyber risks. It demonstrates that EU regulators want to be very hands-on on the topic, with a considerable emphasis on reporting, communication, and assessments that need to take place on a frequent basis, enabled by standardised formats. As such, a single consistent supervisory approach will be adopted across the relevant sectors.
The essence of DORA is divided across 5 core pillars that address various aspects or domains within ICT and cyber security, providing a comprehensive digital resiliency framework for the relevant entities. A summary of the key requirements or aspects are provided below:
- ICT risk management
- ICT-related incident reporting
- Digital operational resilience testing
- ICT third-party risk
- Information sharing
ICT risk management
The proposal establishes a set of requirements on the ICT risk management framework, including:
Set-up and maintain resilient ICT systems and tools that minimize the impact of ICT risk.
All sources of ICT risks should be continuously identified in order to set-up protection and prevention measures.
A prompt detection of anomalous activities should be established.
Dedicated and comprehensive business continuity policies and disaster and recovery plans should be in place, ensuring a prompt recovery after an ICT-related incident.
Establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents.
Timeline
Draft
On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP).
Reaching an Agreement
Following the publications of the European Parliament and Council's proposals for DORA, the co-legislators held political and technical trilogues throughout H1 2022. The European Council adopted DORA on November 28th, 2022, after the European Parliament voted in favour of the act on November 10th.
Entering into Force
DORA entered into force on 16 January 2023. We expect the first regulatory and implementing technical standards (RTS and ITS) to be developed by the European Supervisory Authorities (ESAs).
RTS & ITS
Multiple regulatory and implementing technical standards are defined and issued by the ESAs. They provide entities with specifications and guidance on how to implement specific DORA requirements.
Enforcement
DORA requirements are enforceable 24 months after entry into force (16th January 2023). Therefore, financial entities will be expected to be compliant with DORA by 17th January 2025.
*Articles 23 and 24 refer to the requirements of full-scale Threat Led Penetration Testing (TLTP).
How do I start preparing for DORA?
Once DORA is passed into law, financial institutions have one year to reach a compliant status with the regulation’s requirements in a way that is proportionate to their size and business profile, as well as compliant with the relevant technical standards developed by the ESAs. Entities that are identified as being exposed to higher degrees of cyber risk will have an additional 36 months from the entry date to prepare and conduct advanced penetration tests such as a red or purple team assessment.
While DORA will bring about new and more defined requirements than ever before, the expectations of mature ICT and security risk management practices within the financial sector has been a constant theme pushed down by both the relevant ESAs as well as the MFSA locally. Guidelines such as the EBA Guidelines on ICT and security risk management and Guidelines on outsourcing arrangements have been around since 2019, with the MFSA releasing its own interpretation as Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements in December 2020. Therefore, now is the perfect time to leverage such guidelines as a benchmarking tool to better prepare for what 2022 will bring about. By conducting comprehensive gap assessments and identifying areas that require further investment and maturity, your business will be in a better position to address more complex requirements such as supply risk management, threat intelligence, and advanced security testing.
While we view DORA as being a milestone in the right direction and inevitable in light of the evolving cyber threat landscape, we appreciate the uncertainty that such a regulation can bring upon organisations. With this in mind, our local team of ICT and Cyber Security experts have been closely monitoring and familiarising themselves with DORA in order to be well-positioned for providing sound advice on this topic as well as assist you throughout this long-term journey.
Contact us
Advisory Director, Head of Risk Assurance, PwC Channel Islands
Tel: +44 7797 900015
