What we know about DORA: The Digital Operational Resilience Act
DORA enters a crowded field of operational resilience regulation.
A few years ago, the Bank of England (BoE) stood out as one of the only major regulators to mandate operational resilience standards in the financial services sector. Fast forward and that’s no longer the case.
Financial services regulators in Australia (APRA) and the U.S. (the Federal Reserve), since then, have also pushed regulations meant to ensure baseline operational resilience for regulated firms.
Now, the biggest Regulation of them all is coming out. And that’s the EU’s Digital Operational Resilience Act, or DORA.
What is DORA?
So, what’s DORA all about?
A binding EU regulation on digital operational resilience for the financial sector, DORA seeks to address potential systemic and concentration risks posed by the sector’s reliance on ICT third-party providers (TPPs).
DORA attempts to accomplish this by compelling regulated entities to follow bloc-wide rules for the protection, detection, containment, recovery, and repair of capabilities against ICT-related incidents.
Bloc-wide rules center on the introduction of an oversight framework for critical EU TPPs, a consolidation and upgrade of ICT (Information and Communication Technology) risk mandates throughout the financial sector, meant to ensure that all participants are subject to a common set of standards to mitigate ICT risks for their operations.
Sectors covered by DORA
Who gets counted?
When fully in force, DORA will cover a broad range of financial institutions, including the following:
- Credit institutions
- Payment institutions
- e-money institutions
- Investment firms
- Crypto-asset service providers
- Central securities depositories
- Managers of alternative investment funds
- UCITS management companies
- Administrators of critical benchmarks
- Crowdfunding service providers
- ICT third-party service providers
And not just in the EU, either. DORA is likely to apply to non-EU entities, as well, should TPPs not headquartered in the EU be classed as critical.
The main tenets of DORA
What, then, is included in DORA?
As noted, DORA addresses the issue of ICT risk and incident management. The Regulation sets rules for ICT risk-management, incident reporting, operational resilience testing, and ICT third-party risk monitoring, all of which we’ll briefly tackle in this article:
- ICT risk management. DORA mandates financial entities, to achieve a high level of digital operational resilience, put in place an internal governance and control framework to ensure the effective and prudent management of ICT risk. This framework will be overseen by the Management Body of the financial entity who must define, approve, and be responsible for the implementation of all arrangements related to the ICT risk management framework.
- ICT incident reporting. The purpose of DORA is to mitigate ICT risk. But what if ICT incidents should happen anyway? Here, DORA lays out concrete incident reporting requirements. The gist of these requirements is to confirm entities have established appropriate procedures and processes to ensure a consistent and integrated monitoring, handling, and follow-up of ICT-related incidents. Entities must also be able to ensure that root causes are identified, documented, and addressed to prevent the occurrence of such incidents.
- Digital operational resilience testing requirements. Of course, ICT incident reporting processes must all be tested to ensure they will hold up during an ICT-related incident. Testing requirements intended to ensure digital operational resilience include the mandate to establish, maintain, and review a sound and comprehensive digital operational resilience testing program as an integral part of the ICT risk-management framework, for the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies, and gaps in digital operational resilience, and of promptly implementing corrective measures.
- ICT third-party risk management requirements. The rationale behind DORA and analogous regulations is the growing risk associated with ICT third parties who offer critical services to financial services firms. As a result, the Regulation urges entities to manage ICT third-party risk as an integral component of ICT risk (more broadly) and within the entity’s ICT risk management framework. That framework, however, should be governed according to principles of proportionality. That means taking into account the nature, scale, complexity, and importance of ICT-related dependencies as well as the risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers.
Finally, DORA is here; and compliance will be needed by the time the Regulation comes into full force in January 2025.
Of course, this article can only provide the barest outlines of what will be required to remain in good standing. So, what else will be needed? For a more comprehensive analysis of the Digital Operational Resilience Act, download Noggin’s free Introductory Guide to DORA.
More on
