After COVID, no business can afford to take its digital operational resilience for granted. But for a set of firms in the EU and their major partners elsewhere, digital operational resilience will soon be mandated.
What’s going on? Here’s what you need to know about DORA (the Digital Operational Resilience Act).
An overview of the Digital Operational Resilience Act (DORA)
A binding EU regulation on digital operational resilience for the financial sector, DORA introduces an oversight framework for EU third-party providers (TPPs) deemed to be critical to the stability and integrity of the bloc’s financial system.
How, exactly?
The Regulation does so by consolidating and upgrading ICT risk requirements throughout the financial sector, to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risk to their operations.
Once it comes into full force in 17 January 2025, DORA will compel regulated entities to follow bloc-wide rules for protection, detection, containment, recovery, and repair capabilities against ICT-related incidents.
What’s in DORA?
So, what’s in the Regulation? Well, DORA lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities.
Requirements are centered around the following functional areas:
Information and communication technology (ICT) risk management
Here, the Regulation mandates financial entities put in place an internal governance and control framework, overseen by the firm’s managing body, to ensure the effective and prudent management of ICT risk, to achieve a high level of digital operational resilience.
Reporting and notification of major ICT-related incidents
Given the likelihood of an ICT-related incident happening, DORA mandates firms define, establish, and implement an ICT-related incident management process to detect, manage, and notify ICT-related incidents. Firms will also have to record all ICT-related incidents and significant cyber threats.
Digital operational resilience testing
Protocols to ensure digital operational resilience must be tested, though. And to this end, the Regulation requires firms to establish, maintain, and review a sound and comprehensive digital operational resilience testing program for the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies, and gaps in digital operational resilience, and of promptly implementing corrective measures.
Measures for the sound management of ICT third-party risk
The rationale for DORA comes from the clear emergence of ICT third-party risk as a key threat vector and challenge to digital operational resilience. And so, the Regulation lays out strict guidelines for the management of such risk, requiring among other responsibilities that firms adopt and regularly review a strategy on ICT third-party risk.
Such a strategy should include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers as well as apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis.
Of course, there’s more to DORA than those four pillars. For one, DORA lays out a high baseline for attaining a digital operational resilience competency inclusive of resilience management software tools. For more on what it will take to comply, download our Guide to the Digital Operational Resilience Act, here.