The Digital Operational Resilience Act (DORA) is a new European framework that focuses on embedding a more robust and resilient approach to delivering digital capabilities in Financial Markets.
The framework shifts the focus from guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations through severe operational disruption caused by cyber security and information and communication technology (ICT) issues.
By introducing a single consistent supervisory approach across the relevant sectors, DORA ensures convergence and harmonisation of security and resilience practices across firms operating in the European Union (EU).
DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU. The regulation introduces specific and prescriptive requirements for all financial market participants including (but not limited to) banks, investment firms, insurance undertakings and intermediaries, crypto asset providers, data reporting providers and cloud service providers.
DORA builds on previous industry-specific guidelines to define requirements around consistent ICT risk management; comprehensive resilience testing capabilities (including threat-led penetration testing); and third party risk management, ensuring a consistent provision of services across the entire value chain.
The five key topics at the centre of DORA are: ICT Risk Management; Reporting on ICT-related Incidents; Digital Operational Resilience Testing; Management of Third Party Risk; and Information and Intelligence Sharing.
The regulation is unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).
Given the broad scope of DORA, it addresses many topics that already apply to Financial Services firms operating in the EU and the United Kingdom, while being more prescriptive around ICT and cyber resilience than the current UK operational resilience regulation.
CI entities will need to act quickly to determine if they fall in scope of DORA, based on the broad range of types of financial markets activities included and whether those take place within EU jurisdictions.
Even for those entities that are familiar with financial markets resilience regulation, certain capabilities, such as more detailed operational resilience testing around ICT (particularly threat-led penetration testing) and threat intelligence sharing require attention, while other areas (such as third party risk management) need to be carefully aligned with existing and emerging regulatory requirements.
Our recommendation for all CI entities in scope is therefore regardless of where your entity is in terms of the maturity of digital and operational resilience, DORA should be a trigger for creating alignment between other programmes the organisation has running (e.g. Operational Resilience, Third Party Risk Management, Technology Risk Remediation, Cloud Transformation and Cyber Transformation), and identifying what the additional requirements to be addressed are. As a starting point, organisations should perform an initial gap analysis and maturity assessment of the DORA requirements, to inform any reshaping of that programme - or other ICT and cyber resilience activities within the organisation.
We view DORA simultaneously as a challenge and opportunity for financial entities and their critical ICT providers. The EU-wide uniform requirements of DORA mean that financial entities need to ensure they can manage a consistent maturity level of ICT and cyber resilience across all their EU operations.
With a two-year readiness period, there is a lot that needs to be considered, implemented, and demonstrated. Starting right now, financial institutions will want to conduct comprehensive gap assessments to evaluate their respective maturity against DORA and identify any areas that require further investment and prioritisation. This will put organisations in a better position to address more complex requirements such as third party risk management, advanced technology resilience testing (including threat-led penetration testing), incident reporting and threat intelligence.
We see DORA as a significant change for entities within ESMA or EIOPA supervision, but also for banks which have already had to comply with existing EBA guidelines on banking supervision. DORA also extends its scope to include other stakeholders in the financial sector, which so far have not been subject to extensive ICT security regulation, e.g. crypto-asset service providers, intermediaries managers of alternative investment funds, crowdfunding service providers, cloud-service providers and ICT third-party service providers.
Given the strong focus on third party risk management, entities are expected to satisfy themselves of a third party’s resilience which will require close interaction and joint efforts with their critical ICT third-party service providers, especially where they support the delivery of an important business service.
Operational Resilience regulation and DORA seek to drive specific and often complementary outcomes. As a result, a number of common elements exist between the UK Operational Resilience regulation and DORA. Some examples are outlined below:
It will also be important to consider how the ongoing sustainability of your approach to Operational Resilience will be delivered as there may be opportunities for tools or technology platforms to be leveraged for the purposes of DORA too.
The full DORA regulation does however need to be understood by individual firms in order to allow determination of where their existing Operational Resilience journey can fulfil specific requirements.
DORA raises the bar for ICT service providers designated as ‘Critical’ by ESAs, bringing them under the direct scrutiny of regulators. They will need to perform a comprehensive assessment of their obligations under DORA. Contractual changes to align with DORA requirements may prove challenging - such as terms around ‘unrestricted rights of access’ and obligations to ‘fully cooperate during onsite inspections and audits performed by… competent authorities’.
Financial entities are required to set up a comprehensive ICT risk management framework, including:
Financial entities are required to:
The regulation requires all entities to:
Financial entities are required to:
PwC has the expertise and capabilities to support you on your journey to manage all of DORA’s regulatory requirements and enable you to achieve your organisation’s resilience objectives. We can leverage our extensive experience supporting clients with complying with similar requirements, such as the UK regulatory requirements on operational resilience (introduced in 2021 by the Bank of England, FCA and PRA), which provides us with unique insights into the similarities and relationship with DORA’s requirements.
Our global network of industry experts can work with your technology risk function and existing operational resilience, cyber security, and third party risk management programmes to address any gaps in your digital and operational resilience maturity.
Advisory Director, Head of Risk Assurance, PwC Channel Islands
Tel: +44 7797 900015