Digital Operational Resilience Act (DORA)
What is the Digital Operational Resilience Act (DORA)?
In today's digital age, the reliance on Information and Communication Technology (ICT) has made financial entities more vulnerable to cyber incidents, making operational resilience more critical than ever. The Digital Operational Resilience Act (DORA) is a regulation introduced by the European Union to ensure that financial institutions are well-prepared to manage the risks associated with ICT. Read on to learn how to prepare for DORA compliance and explore A&M's strategic and structural approach to ensure a thorough and effective implementation.
What is DORA Resilience?
The Digital Operational Resilience Act mandates financial entities to establish strong mechanisms for protection, detection, containment, recovery, repair and reporting against Information and Communication Technology (ICT) related incidents.
Key elements of DORA:
- ICT Risk Management: Develop frameworks for risk management, incident reporting, resilience testing, and third-party risk monitoring.
- Operational Resilience: Design strategies for preventing, responding to, recovering from, and learning from disruptions.
What Are the Five Pillars in DORA Regulation?
The Digital Operational Resilience Act establishes an overarching framework to strengthen the digital resilience of European financial institutions. DORA is structured around five main pillars that address specific aspects of digital operational resilience.
A&M approaches DORA with a focus on strategic and structural perspectives for each pillar, ensuring thorough and effective implementation, explained as follows:
1. ICT Governance & Risk Management: Establishing a strong ICT risk management is essential for protecting, preventing, and detecting incidents. You can achieve this through the implementation of ‘resilience by design' by investing in advance to mitigate inherent risks. Key actions include:
- Build a resilience culture supported by continuous training.
- Be clear on the strategic intent and embed resilience within the business strategy.
- Clarify responsibilities and instill accountability, including escalation routes.
- Proactively mitigate potential threats, integrating ICT risk appetite and impact tolerances into an ICT strategy and budget.
- Realign resilience from an individual system/resource view to a holistic critical business services view.
- Implement common ICT risk and control protocols.
2. Incident Management & Reporting: Detecting and responding to operational disruptions across critical services quickly and effectively is crucial for effective incident management. Key actions include:
- Robust incident response plans.
- Crisis management protocols.
- Business continuity measures.
- Timely and coordinated actions to minimize and restore operations.
- Communication plans to report major incidents to regulators, users, and clients.
- Efficient use of the right tools and processes to log ICT incidents and then extract relevant KPIs.
- Automated reporting where possible.
- Qualitative remediation of incidents i.e., tactical, structural, and preventive.
3. ICT Third-Party Risk Management: Effectively managing reliance on third-party ICT providers involves aligning contractual arrangements with your risk appetite. Key actions include:
- Understand information assets and ICT asset dependencies on third parties, including their value, criticality, sensitivity etc.
- Develop a clear third-party risk strategy.
- Create a policy on the use of ICT services provided by third parties and the risks identified.
- Register contractual arrangements with third parties, distinguishing between critical and non-critical provisions.
- Provide clear service level descriptions with precise quantitative and qualitative performance metrics.
- Include clear termination provisions and tested exit strategies to maintain business continuity.
- Annual reporting to the regulator on all new arrangements.
4. Operational Resilience Testing: Developing a comprehensive, risk-based approach to ICT stress and scenario testing, including penetration tests, is essential for identifying key gaps in operational resilience capabilities. Key actions include:
- Remediate gaps against impact tolerances with prioritized actions and remediation plans.
- Use stress and scenario testing to learn and continuously improve.
5. ICT Information Sharing: Ensuring proper information and intelligence sharing is essential for maintaining a collaborative and transparent relationship with regulators. Key actions include:
- Frame the conversation with regulators.
- Anticipate terms and conditions for information and intelligence sharing (e.g., format, frequency, etc.).
How Does DORA Impact Entities?
Entities using ICT systems such as ERP, CRM, cloud computing, and online banking must comply with DORA. Key scenarios include:
- Cross-Border Transactions: U.S. financial institutions engaging in transactions with EU entities must ensure their ICT systems can withstand disruptions.
- Client Onboarding: Secure and robust ICT systems are essential for handling EU client data effectively.
How to Prepare for DORA Compliance
- Implement common ICT risk and control protocols.
- Detect and respond to operational disruptions across critical services quickly and effectively.
- Develop a comprehensive approach to risk-based ICT stress and scenario testing.
- Manage third-party ICT providers with clear policies and termination provisions.
- Annual reporting to regulators on all new arrangements.
Are You Ready for DORA?
- DORA came into force on January 16, 2023, with compliance required by January 2025. Non-compliance carries severe penalties, including fines of 1% of global average daily revenue for up to 6 months and potential cease-and-desist orders.
- This regulation affects U.S. financial institutions operating within the EU or interacting with EU financial entities fall under DORA compliance.
- Despite the urgency, most risk management professionals are only at the beginning of their planning journey. It is essential to start preparing now to ensure compliance and avoid these severe penalties.
Want to learn more about DORA and how it impacts your organization? Read the full article to understand the detailed requirements and ensure your financial entity is fully compliant with this critical regulation.
How A&M Can Help
Partnering with A&M offers significant advantages. Our regulatory and technical expertise simplifies DORA compliance. We leverage proven strategies and insights from other regulatory programs to help you develop and execute a roadmap. This approach avoids common pitfalls and ensures a robust foundation for digital resilience.
