What is DORA
The Digital Operational Resilience Act (DORA), is an initiative introduced by the European Parliament and the Council, set to become effective by 17 January 2025. This regulation was conceived in response to the increasing reliance of financial firms on digital systems and the potential systemic risks they pose. In February 2020, Europe's systemic risk watchdog raised alarms about the possibility of a single cyber incident spiralling into a systemic crisis, jeopardizing financial stability. Recognizing the gravity of such threats, the EU decided to mandate firms to bolster the resilience of their digital operations.
DORA's inception is rooted in the EU's ambition to streamline and unify the regulatory landscape. Currently, the regulatory framework is fragmented, with directives like CRD IV, PSD2, EMIR, Solvency II, and MIFID, supplemented by local requirements like those of the CSSF in Luxembourg, creating a complex web overseen by multiple bodies. DORA aims to simplify this by introducing a single legislative act that addresses ICT risk in finance across the union. This not only reduces regulatory complexity but also alleviates the financial and administrative burdens arising from the existing patchwork of regulations.
The act encompasses several key areas of ICT risk management:
Firms are mandated to establish and sustain resilient ICT systems and tools. This involves continuous identification and mitigation of ICT risks, the implementation of protective measures, and the creation of comprehensive business continuity policies and disaster recovery plans.
DORA necessitates firms to devise a management process dedicated to monitoring, classifying, and reporting significant ICT-related incidents to competent authorities, as outlined under the NIS(2) Directives.
Digital operational resilience testing
The act requires firms to rigorously test their ICT risk management framework's operational resilience. This encompasses a wide range of tests, from vulnerability assessments and network security evaluations to scenario-based tests and penetration testing.
ICT Third-party risk
Beyond just assessing and monitoring ICT third-party risks, firms must also ensure that their contracts with these parties explicitly state their obligations under DORA. Moreover, critical ICT third-party service providers in the financial sectors are expected to comply with an oversight framework.
DORA promotes the establishment of platforms for financial entities to share cyber threat information and intelligence.
Types of companies subject to DORA
The Digital Operational Resilience Act (DORA) is a comprehensive regulation that aims to ensure the resilience of digital operations across a wide spectrum of financial entities within the European Union. The regulation is designed to cover financial firms of almost all sizes across every sector of the finance industry. Here's an overview:
- Credit Institutions: Entities primarily accepting deposits or other repayable funds from the public and granting credits for their own account.
- Payment Institutions: Entities providing and executing payment services across the EU. This includes institutions exempted under Directive (EU) 2015/2366.
- Account Information Service Providers: Entities offering online services to provide consolidated information on payment accounts held by a payment service user with other payment service providers.
- Electronic Money Institutions: Entities issuing electronic money, which can be used for making payments. This includes institutions exempted under Directive 2009/110/EC.
- Investment Firms: Firms providing investment services or performing investment activities on a professional basis.
- Crypto-asset Service Providers: Entities providing services related to cryptocurrency and other digital assets, especially those authorized under a Regulation on markets in crypto-assets, and issuers of asset-referenced tokens.
- Central Securities Depositories: Institutions providing securities accounts, central maintenance services, and securities settlement services.
- Central Counterparties: Entities that interpose themselves between the two parties to a trade, acting as the focal point for each party's counterparty credit risk.
- Trading Venues: This encompasses regulated markets, multilateral trading facilities (MTFs), and organized trading facilities (OTFs).
- Trade Repositories: Entities that centrally collect and maintain records of derivatives.
- Managers of Alternative Investment Funds: Entities responsible for managing and administering investment funds.
- Management Companies: Companies responsible for the management of investment funds.
- Data Reporting Service Providers: Entities providing services related to the reporting of transaction data.
- Insurance and Reinsurance Undertakings: Companies offering insurance and reinsurance services.
- Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries: Entities mediating between insurance companies and clients.
- Institutions for Occupational Retirement Provision: Institutions providing retirement benefits in the form of occupational pensions.
- Credit Rating Agencies: Entities rating the creditworthiness of debt securities and their issuers.
- Administrators of Critical Benchmarks: Entities responsible for providing, compiling, or maintaining a benchmark.
- Crowdfunding Service Providers: Platforms facilitating crowdfunding, a method of raising capital through the collective effort of a large number of individual investors.
- Securitisation Repositories: Entities that centrally collect and maintain records related to securitization.
- ICT Third-Party Service Providers: External service providers offering information and communication technology services to the aforementioned financial entities.
It's essential to understand that DORA's provisions are not one-size-fits-all. Depending on the nature and category of your financial entity, the regulation may stipulate different requirements. This tailored approach ensures that each type of company addresses the unique risks and challenges inherent to its operations. As such, firms must carefully assess the specific provisions of DORA that apply to their category to ensure full compliance and to optimize their digital operational resilience effectively.
Accountability for Board/Management
DORA introduces a heightened level of responsibility for Boards and management bodies of covered entities. This responsibility is not just organizational but also personal, emphasizing the gravity of ensuring digital operational resilience.
Defining the "Management Body"
DORA's obligations are directed at the covered entity's "Management Body." Typically, this refers to the entity's Board, even within complex group structures. This means that individual Boards at the entity level must ensure they possess adequate oversight and control over policies and procedures, even those established at a group level, to fulfil their DORA obligations.
Ultimate Responsibility Lies with the Board:
The Board holds the final responsibility for the entity's ICT risk management and operational resilience strategy. This underscores the anticipated regulatory expectation for Boards to be more deeply involved in overseeing digital operational resilience risks. This involvement extends to ensuring compliance with DORA's comprehensive technical and policy mandates. In instances of systemic failings, regulatory inquiries might probe deeper into the Board's engagement level.
Mandatory Skills and Training
DORA mandates that Board members continually update their knowledge and skills to comprehend and evaluate ICT risks and their potential repercussions on the entity. This involves regular training, ensuring Board members grasp:
- Fundamental technical and organizational aspects of ICT security and resilience.
- The significance of ICT security and resilience for the financial entity.
- The specific ICT-related threats the entity faces.
- The strategies the entity employs to counteract those threats and the acceptable risk thresholds.
The Board must receive annual reports from senior ICT personnel, focusing on insights from testing, audits, and incidents. Additionally, DORA necessitates the establishment of reporting channels for the Board to be informed about major ICT-related incidents. While many entities might already have such processes, DORA could potentially expand the scope and frequency of these briefings.
Approval and Review of Policies
The Board is required to implement, approve, and periodically review several key policies, plans, and arrangements. This encompasses roles and responsibilities for ICT-related functions, reporting channels for ICT third-party service providers, data policies, ICT business continuity policies, and more. These obligations might broaden the range of policies under the Board's purview, aligning with DORA's expectation of a more proactive role in overseeing ICT risks.
Civil and Criminal Liabilities
Member States are mandated to introduce individual civil liability for Board members. Additionally, they have the discretion to introduce criminal liability. This added layer of personal accountability emphasizes the importance of proactive Board engagement in DORA compliance.
DORA's introduction signifies a paradigm shift in the way Boards and management bodies approach digital operational resilience. With personal liabilities on the line, it's imperative for Boards to be proactive, informed, and engaged in ensuring their entities are DORA-compliant.
How to get DORA compliance
DORA is a comprehensive framework designed to ensure that financial entities within the European Union maintain robust digital operational resilience. Compliance with DORA is not just about adhering to a set of rules; it's about integrating a culture of digital resilience throughout the organization. Here's a breakdown on the key DORA compliance pillars:
- ICT Business Continuity and Disaster Recovery: Entities must establish, implement, and maintain a robust business continuity policy and disaster recovery plan. This includes ICT business continuity and disaster recovery plans that aim to ensure the preservation of functions and timely recovery of operations.
- Operational Risk Identification: Entities, such as Central Securities Depositories (CSDs), are required to identify both internal and external sources of operational risk. They must minimize the impact of these risks through the deployment of appropriate ICT tools, processes, and policies.
- Testing and Evaluation: Regular threat-led penetration testing is essential. Financial entities should only employ testers who possess technical and organizational capabilities, demonstrate expertise in threat intelligence, and are certified by an accreditation body in a Member State.
- Board and Management Engagement: As mentioned before, the Board has the ultimate responsibility for the entity's ICT risk management and operational resilience strategy. This includes setting and reviewing roles and responsibilities for all ICT-related functions, establishing reporting channels, and approving and reviewing various key policies and plans.
- Standardised information security frameworks: Standards like ISO27001, an international standard for information security management systems (ISMS), can serve as a foundational framework for DORA compliance. The standard provides a systematic approach to managing sensitive company information and ensuring its confidentiality, integrity, and availability. By aligning DORA's requirements with ISO27001's principles, entities can achieve a holistic approach to digital resilience. The structured approach of ISO27001 can help entities identify potential vulnerabilities, assess risks (including 3rd party risks), and implement appropriate controls, thereby streamlining the path to DORA compliance.
- Training and Skill Development: DORA mandates that Board members and relevant staff undergo regular training to understand and assess ICT risks. This includes understanding the technical and organizational features of ICT security, the importance of ICT resilience to the entity, specific ICT-related risks, and mitigation measures.
- Reporting and Briefings: It is required to establishing a management process to monitor, classify, and report major ICT-related incidents to competent authorities within due time. Next to that the Board must receive reports from senior ICT staff at least annually. These reports should cover lessons learned from testing, audits, and incidents. Additionally, there should be established channels for the Board to receive notifications about major ICT-related incidents.
In essence, DORA compliance means adopting a proactive approach to digital operational resilience, ensuring that all layers of the organization, from the Board to the operational teams, are aligned in understanding, managing, and mitigating ICT risks. Leveraging standards like ISO27001 can provide a structured and internationally recognized framework to support this journey.
The Digital Operational Resilience Act is not just another regulation on the horizon; it's an imminent transformation that financial entities within the European Union must brace for. The lessons from the introduction of GDPR are still fresh in our minds. Many organizations were caught off-guard, leading to last-minute scrambles, hefty fines, and reputational damage. The key takeaway? Procrastination is a costly strategy.
The deadline for DORA compliance, 17 January 2025, may seem distant, but in the realm of organizational change and digital transformation, it's just around the corner. The complexities of the regulation, combined with the intricacies of digital operational resilience, make this a challenging endeavour that demands immediate attention. Waiting until the eleventh hour, as many did with GDPR, is not an option.
Enter brainframe.com, a management platform tailored for such challenges. In the face of DORA's stringent requirements, having a centralized platform like Brainframe becomes indispensable. It's not just about compliance; it's about efficiency, cost-saving, and ensuring that evidence collection is streamlined. With Brainframe, organizations can navigate the DORA landscape with confidence, ensuring that every requirement is met, every risk is assessed, and every evidence is meticulously documented.
However, technology alone isn't the silver bullet. Expertise is crucial. If your organization currently lacks the in-house specialists to navigate the DORA maze, fear not. Our extensive network of seasoned specialists stands ready to assist. With their expertise, you can chart a clear path to compliance, ensuring that every box is ticked, every challenge is met, and every potential pitfall is avoided.
In conclusion, DORA is not just a regulatory challenge; it's an opportunity. An opportunity to bolster your digital resilience, enhance your operational efficiency, and showcase your commitment to the highest standards of ICT risk management. With the right tools, like Brainframe, and the right expertise, your journey to DORA compliance can be smooth, efficient, and cost-effective. Don't wait. The future is now.