The Digital Operational Resilience Act (DORA) is a European Union regulation aimed at strengthening Information and Communication Technology (ICT) security in financial institutions such as banks, insurance companies, and investment firms. The goal is to enable the European financial sector to withstand critical operational disruptions.
With the financial sector increasingly dependent on digital technologies, the risk of cyberattacks or incidents is a growing concern for companies and authorities. If such situations are not managed correctly, they can lead to disruptions in financial services across an entire continent.
Until the new legislation arrives, financial institutions manage operational risks by allocating capital to cover potential economic losses. With the advent of DORA—known in Portuguese as the Digital Operational Resilience Act—these companies will have to follow strict guidelines to protect against ICT incidents.
In this article, we will cover everything you need to know about DORA, its objectives, and how you can prepare for it.
Objectives of the Digital Operational Resilience Act
The main objective of the Digital Operational Resilience Act is to strengthen the ICT security of financial entities in the European Union. The new legislation aims to ensure harmonized regulation of digital operational resilience for 21 types of financial entities.
Here are the six main objectives of DORA:
- ICT Risk Management: Provides a framework that defines principles and requirements for managing Information and Communication Technology risks.
- Digital Operational Resilience Testing: Establishes a program for testing resilience against cyberattacks and incidents, ranging from basic to advanced assessments.
- Information Sharing: Facilitates the exchange of information and intelligence on cyber threats among different institutions.
- Third-Party ICT Risk Management: Mitigates threats posed by third parties by creating contractual provisions that must be included in agreements with suppliers and partners.
- Incident Management: Manages ICT-related incidents, with provisions for notifying significant incidents. Manages cyber threats with a direct line of communication to the competent authorities.
- Supervision of Critical Third-Party Providers: Ensures that critical ICT providers are rigorously monitored by the European Supervisory Authorities (ESAs).
Overall, DORA focuses on increasing the resilience of the European financial system against cyberattacks and ICT incidents. Consequently, the European Union aims to protect even companies in other sectors from suffering financial system outages.
Free eBook: Financial services: Challenges and Opportunities for Business Resilience
Which organizations are affected by the Digital Operational Resilience Act
The Digital Operational Resilience Act applies to all financial institutions operating in the European Union. This includes traditional entities such as banks, investment firms, and credit institutions.
The new legislation also affects less traditional companies in the sector, such as crypto-asset service providers and crowdfunding platforms.
What sets DORA apart from its predecessors is that it also applies to entities typically excluded from financial regulations. This is because it affects third-party service providers that supply ICT systems to financial market companies.
Also included in this oversight are cloud service providers and data centers, which must comply with DORA requirements. Finally, the law also covers companies that provide critical third-party information services, such as credit rating agencies and data analytics providers.
In summary, these are the organizations affected by the Digital Operational Resilience Act:
- Traditional financial entities: Banks, investment firms, and credit institutions.
- Non-traditional financial entities: Crypto-asset service providers and crowdfunding platforms.
- Third-party service providers: Companies that provide Information and Communication Technology services to financial market entities. Cloud service providers and data centers.
- Third-party information services: Credit rating agencies and data analytics providers.
Read more: 3-line model: what it is and how it works in financial risk management
Digital Operational Resilience Act requirements
The Digital Operational Resilience Act operates on five main pillars to ensure the digital operational resilience of the European financial services market. Below, we will discuss each of them in detail.
1. Information and Communication Technology (ICT) risk management
The first objective of DORA is to transform ICT risk management into a proactive process. Today, it operates reactively, only in response to incidents that have already occurred.
To achieve this, the new legislation mandates the development and implementation of regular risk assessments, evaluation practices, mitigation strategies, incident response plans, and risk awareness processes within organizations.
2. Incident notification
The Digital Operational Resilience Act standardizes the incident notification process within financial institutions operating in the European Union. It requires these organizations to implement systems for monitoring, detecting, describing, notifying, and analyzing significant incidents.
The reporting framework should include procedures for reporting to internal and external stakeholders. This is part of the regulation’s effort to ensure greater transparency in the financial market’s security area.
3. Operational resilience testing
Organizations must conduct periodic tests to assess their digital vulnerabilities and their ability to respond to cyber threats. Based on the results, they must create a plan to improve their digital security practices.
This pillar aims to ensure that European financial institutions can survive malicious attacks. These threats can be basic, intermediate, or advanced — depending on the size and complexity of the entity.
4. Third-party risk management
The Digital Operational Resilience Act requires financial institutions to draft detailed contracts with their Information and Communication Technology providers. They need to conduct thorough legal audits and have a robust process for terminating these partnerships.
The goal of this requirement is to strengthen the relationship between financial institutions and their most critical third-party suppliers. This way, the aim is to prevent these relationships from compromising the operational resilience of financial sector organizations in Europe.
5. Information sharing
Organizations must share information securely to increase collaboration and resilience among financial institutions. The goal is to raise industry members’ awareness of operational resilience.
Another point of this pillar is to increase the sharing of practices or lessons learned across the sector.
How to prepare for the Digital Operational Resilience Act (DORA)
The Digital Operational Resilience Act consists of three components: regulation (level 1), technical standards (level 2), and guidelines (level 3).
The first component refers to the legislative text that sets the framework for the digital operational resilience of the financial sector.
The second level deals with the rules developed by the European Supervisory Authorities (ESAs), which will provide the technical requirements and procedures to implement the regulations. Finally, level 3 covers the non-binding recommendations issued by the ESAs, which will help financial entities comply with the technical standards.
At this initial stage, your institution needs to take as many precautions as possible to prepare for the new legislation. Below, check out what you can do to get your organization ready for the Digital Operational Resilience Act.
1. Understand processes and systems
Map out which corporate services depend on which processes and systems, as well as how this support occurs. Check the data flow and how different systems interact with each other.
Process the data, documenting which types of information are processed by each system. Then ensure that the data flow is secure and compliant with relevant legislation.
2. Identify ICT risks
If you don’t already have one, implement an Information and Communication Technology Risk Management framework. If you do, review your current one to ensure it complies with DORA.
Your ICT risk framework should include the identification, assessment, mitigation, and monitoring of threats.
You should also conduct regular assessments of ICT risks. This includes checks on hardware, software, data, and communication systems.
The SoftExpert GRC (Governance, Risk, and Compliance) software ensures compliance with corporate policies, laws, and external regulations. With it, your organization will be prepared for the arrival of the Digital Operational Resilience Act, while also adhering to standards such as ISO 9001, ISO 190011, and ISO 22301.
3. Conduct a Gap Analysis
Check if your current framework meets DORA’s requirements and identify gaps that need to be addressed. Conduct a rigorous assessment of your current digital operational resilience capabilities.
Perform a gap analysis focusing on identifying deficiencies in existing practices. Determine which non-compliance points need to be improved to fit the standards of the Digital Operational Resilience Act.
4. Manage third-party risks
Identify all your suppliers and other third-party stakeholders to develop an ICT risk management strategy for third parties. List all your suppliers and assess their roles in your organization’s Information and Communication Technology system.
Develop a comprehensive strategy to manage risks associated with third-party ICT providers. This includes conducting a legal audit, necessary contractual arrangements, and continuous monitoring.
5. Implement an incident management process
Ensure that your company has a mature incident management process. It should allow for quick responses to cyber threats and the sharing of information with authorities.
Your incident management framework should have established procedures for identifying, tracking, recording, and classifying ICT-related occurrences.
Your incident management process should include agile response mechanisms and protocols for creating reports to be submitted to regulators. This procedure should cover communication plans, the roles and responsibilities of employees, and how to document the incidents themselves.
Read more: Why should your company be concerned with asset management?
Conclusion
The Digital Operational Resilience Act represents a significant advancement in the regulation of digital operational resilience for the European financial sector. As cyber threats become more sophisticated, compliance with this legislation will be essential to ensure the security and continuity of financial services.
From large banks to technology service providers, institutions of all sizes will need to review and strengthen their risk management and resilience practices. Preparing for DORA is not just about meeting regulatory requirements but also about protecting the organization’s assets and reputation.
This includes identifying vulnerabilities, managing third-party risks, and ensuring a quick and effective response to incidents. In summary, the careful implementation of DORA’s guidelines will provide greater confidence to the financial sector and its clients, raising the level of security and collaboration among institutions.
Looking for more efficiency and compliance in your operations? Our experts can help identify the best strategies for your company with SoftExpert solutions. Contact us today!
