Digital Operational Resilience Act (DORA) is one of the recent acts adopted by the European Union (EU) in 2022. It is aimed at increasing the level of cyberrisk for the financial sector and ensuring that the financial organizations are prepared and capable of preventing and managing various cyber threats and business continuity disruptions.
DORA provides a wide framework that outlines the EU financial entities’ specifications and guidelines. It relates to risk assessment in relation to ICT, reporting of incidents, third party management, and digital operations resilience testing.
Therefore, the main goal of DORA is to build up a more coherent and advanced digital resilience regime in the EU to assist the financial sector to continue to work and be safeguarded from increasing cyber threats and operational disruptions.
The Key Objectives of DORA
- Enhancing Cybersecurity Preparedness: DORA makes it mandatory for financial entities to have the right cybersecurity measures that include; the use of security technologies, having an adequate response plan in case of a cybersecurity attack, and practicing of their cybersecurity measures.
- Strengthening Operational Resilience: It requires the financial bodies to develop and maintain sound business continuity and disaster recovery plans in order to be in a position to quickly resume the important operations after disruptions.
- Improving Third-Party Risk Management: DORA also pays special attention to the risks associated with third-party service providers whereby a financial entity is required to perform adequate identification and exercise adequate supervision and monitoring over such a provider.
- Fostering Collaboration and Information Sharing: The Act encourages collaboration between financial institutions and authorities and other members of the sector and thus, the improvement of the sector’s digital safety.
- Ensuring Regulatory Compliance: DORA outlines a list of compliance requirements that are well understood for financial entities to be able to continue with their business and be safe and digital. These penalties are normally accompanied by rather high fines and can also cause a significant amount of harm to the company’s image.
The impact of DORA in the Digital Environment
Thus, based on the analysis of the main provisions of the DORA, it can be assumed that the changes that have begun will impact the digital landscape of the financial sector in the EU. Some of the key implications include:
- Increased Cybersecurity Investments: The enhancements of the financial entities’ cybersecurity will be quite expensive for the companies, as they will have to invest in the effective technologies and qualified staff.
- Improved Third-Party Risk Management: Third parties will also be scrutinized by the financial institutions as they attempt to assess if they meet new security and resilience standards of DORA.
- Strengthened Incident Response and Reporting: The requirements for the reporting of incidents through DORA will force the financial entities into developing good procedures in handling incidents and enhance on the capacity of identifying, managing and reporting cyber incidents and operational disruptions.
- Increased Regulatory Scrutiny: As a result of DORA, there will be enhanced legal compliance, penalties and financial firms will be subjected to more penalties in case they do not meet the required legal compliance.
- Fostering Collaboration and Information Sharing: In this case, due to the provision of the Act aimed at cooperation and information exchange between financial institutions and supervisory authorities, it should also promote the formation of best practices in the industry and the creation of more effective digital preparedness strategies.
Compliance Requirements Under DORA
DORA sets out a comprehensive set of compliance requirements that financial institutions have to adhere to in order to maintain the digital business resilience. These requirements include:
- ICT Risk Management: These are the risk management frameworks, risks identification, assessment, and the mitigation strategies that are relevant to the financial entities to adopt and apply.
- Incident Reporting: Financial entities also require adequate ways of describing the incident and reporting, which should enable the entities to promptly act on the threats or other interferences in their operations.
- ICT Third-Party Risk Management: The financial entities have to be able to conduct sufficient risk evaluations with the third-party service providers to assure that they meet the security and reliability standards under DORA.
- Digital Operational Resilience Testing: The financial entities are supposed to conduct the testing of their digital operational resilience on the regular basis, including the threat-led penetration testing and scenario-based exercise.
- Governance and Oversight: DORA will require that the type of financial entities that fall under it must put in place suitable governance structures and supervision arrangements for the sustained management and supervision of their digital operational resilience.
Measures That Companies Can Employ to Ensure Compliance with DORA
As the implementation of DORA approaches, financial entities within the European Union should take the following steps to ensure their readiness and compliance:
- Conduct a Gap Analysis: Evaluate the organization’s digital operating model and determine which aspects of it should be enhanced to meet DORA.
- Develop a Compliance Roadmap: Thus, using the results of the gap analysis, it is possible to develop the following plan of measures, time, and costs for compliance with DORA.
- Enhance ICT Risk Management: There is need to develop and deploy good ICT risk management frameworks such as the one that focuses on the identification, evaluation and control of ICT risks.
- Strengthen Incident Response and Reporting: To address the DORA guidance, make sure that proper methods are used in the identification, handling and reporting of such events.
- Optimize Third-Party Risk Management: Your organization’s management must ensure that you perform the necessary adequate assessment on third-party service providers and put in place all the oversight and control measures that DORA will demand.
- Implement Digital Operational Resilience Testing: Provide and implement end to end digital operational resilience testing solutions such as Threat led penetration testing and scenario testing.
- Enhance Governance and Oversight: Your organisation must have good developed governance structures and oversight for your digital operational resilience and for monitoring it.
- Collaborate and Share Information: Consult with other players in the industry and other regulatory bodies as well as other stakeholders for the purpose of exchanging information and familiarizing with the best practices in the field with the view of improving the level of digital readiness in the financial sector.
Conclusion
From the enhancement of the EU’s digital financial architecture, the Digital Operational Resilience Act (DORA) may be regarded as one of the significant outputs. Therefore, with the help of DORA, it is possible to define a set of compliance measures that will help financial entities to be ready for cyberrisks and operational failures and recover after them.
As the EU financial entities start planning for DORA’s application, organizations must put correct procedures in place for the evaluation of the current digital operational resilience, compliance strategies, and activities that will be necessary for the fulfillment of the Act’s provisions.
