Guide to the Digital Operational Resilience Act (DORA)

Digital operational resilience management has never been more important.

Organizations have more dependencies than ever before, particularly in the financial services space. As a result, the risk financial entities face of disruption has only intensified, given the widespread adoption of digital solutions and the increasing use of outsourced service providers. 

Add to the mix, organizations, since the pandemic, are functioning in a completely different operational environment. They are likely to have fundamentally changed the way they interact with technology, customers, and their own employees. 

Indeed, this need to adapt to (and accelerate) the pace of change increases the risk of digital disruption. However, the same need to quickly adapt to digitization all the while maintaining continuous business operations and safeguarding people, assets, and brand equity makes digital operational resilience management more important than ever before. 

Shifts in the regulatory environment also increase the salience of digital operational resilience.

As a result, regulators and policymakers have intervened. A few years ago, the Bank of England (BoE) stood out as one of the only major regulators to mandate operational resilience standards in the U.K.’s financial services sector.

The regulatory path paved by the BoE has subsequently been taken up by other national and supranational regulators, including the Australian Prudential Regulation Authority (APRA) and the U.S. Federal Reserve. 

Here, in the EU, we have the Digital Operational Resilience Act (DORA), the first such Bloc-wide policy seeking to align the approach to managing information and communications technologies (ICT) and cyber risk in the financial sector across all EU member states. 

What’s DORA all about? This guide serves as a primer to the Digital Operational Resilience Act (DORA), focusing on what’s in the regulation and what affected entities should expect.

What is DORA?

A binding EU regulation on digital operational resilience for the financial sector, DORA seeks to address potential systemic and concentration risks posed by the financial sector’s reliance on ICT third-party providers (TPPs). How?

Well, DORA introduces an oversight framework for EU TPPs deemed to be “critical to the stability and integrity of the [EU] financial system”ⁱ. DORA also seeks to consolidate and upgrade ICT risk requirements throughout the financial sector, to ensure that all participants of the financial system are subject to a common set of standards to mitigate ICT risks for their operations. 

What, then, is the thinking behind DORA? As regulators aver, financial institutions, before DORA, have been managing the main categories of operational risk mainly with the allocation of capital, without much thought paid to all aspects of operational resilience. But ICT incidents and a lack of operational resilience can jeopardise the soundness of the entire financial system, even with adequate capital for the traditional risk categories.

As with similar regulations, the intention behind DORA is to ensure that all participants in the financial system have the necessary safeguards to mitigate cyber-attacks and other risks. And so, the Regulation, once it comes into force fully in 17 January 2025, will require firms to ensure that they can withstand all types of ICT-related disruptions and threats.

Which sectors are covered by DORA?

Who’s covered by DORA?

DORA covers a broad range of financial institutions, including the following:

• Credit institutions
• Payment institutions
• e-money institutions
• Investment firms
• Crypto-asset service providers
• Central securities depositories
• Managers of alternative investment funds
• UCITS management companies
• Administrators of critical benchmarks
• Crowdfunding service providers
• ICT third-party service providers

Although an EU regulation, DORA has the potential to apply to non-EU entities, as well. That’s because TPPs that provide services to EU financial entities, e.g., banks, broker-dealers, and insurers, will be required to establish subsidiaries in the EU, should those TPPs be classed as critical. 

The main tenets of DORA

DORA itself provides provisions for ICT risk and incident management, setting rules for ICT risk-management, incident reporting, operational resilience testing, and ICT third-party risk monitoring, all of which this guide will tackle. 

The main tenets of the Regulation, as laid out in its first Article, read as follows:

1. In order to achieve a high common level of digital operational resilience, this Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities as follows:
   a. Requirements applicable to financial entities in relation to:
     i. Information and communication technology (ICT) risk management
     ii. Reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities
     iii. Reporting of major operational or security payment-related incidents to the competent authorities by financial entities
     iv. Digital operational resilience testing
     v. Information and intelligence sharing in relation to cyber threats and vulnerabilities
     vi. Measures for the sound management of ICT third-party risk
   b. Requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities
   c. Rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities
   d. Rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation

ICT risk management requirements

Digital operational resilience is at the centre of DORA. But what does it mean? The definition, as provided in the Regulation, is long:

Digital operational resilience refers to the ability of a financial entity to build, assure, and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.

To ensure digital operational resilience, entities must mitigate ICT risk. What is ICT risk, though? 

Again, the Regulation defines ICT risk as a reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment.

How, then, does DORA go about addressing ICT risk? The Regulation does so by mandating financial entities to put in place an internal governance and control framework to ensure the effective and prudent management of ICT risk, to achieve a high level of digital operational resilience.

Who’s responsible for taking these actions? Per the Regulation, the management body of the financial entity must define, approve, oversee, and be responsible for the implementation of all arrangements related to the ICT risk management framework. 

Specific requirements for that management body include the following:

• Bear the ultimate responsibility for managing the financial entity’s ICT risk
• Put in place policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity, and confidentiality of data
• Set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation, and coordination among those functions
• Bear the overall responsibility for setting and approving the digital operational resilience strategy, including the determination of the appropriate risk tolerance level of ICT risk of the financial entity
• Approve, oversee, and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans, which may be adopted as a dedicated specific policy forming an integral part of the financial entity’s overall business continuity policy and response and recovery plan
• Approve and periodically review the financial entity’s ICT internal audit plans, ICT audits, and material modifications to them
• Allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources, including relevant ICT security awareness programmes and digital operational resilience training and ICT skills for all staff
• Approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers

What other requirements do financial entities have? According to DORA, financial entities must also establish a role to monitor the arrangements concluded with ICT third-party service providers on the use of ICT services or designate a member of senior management as responsible for overseeing the related risk exposure and relevant documentation.

A further requirement of the management body is to actively keep up to date with sufficient knowledge and skills to understand and assess ICT risk and its impact on the operations of the financial entity, including by following specific training on a regular basis – with that training being commensurate to the ICT risk being managed.

ICT incident reporting requirements

What if an ICT incident should occur anyway? As such events (single or linked) can have an adverse impact on the availability, authenticity, integrity, or confidentiality of data, or on the services provided by the financial entity, they are to be handled with great care.

DORA lays out concrete incident reporting requirements for entities who are thus affected. And those requirements include:

• Define, establish, and implement an ICT-related incident management process to detect, manage, and notify ICT-related incidents
• Record all ICT-related incidents and significant cyber threats
• Establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling, and follow-up of ICT-related incidents, to ensure that root causes are identified, documented, and addressed to prevent the occurrence of such incidents

The above requirements bespeak the need for entities to establish ICT-related incident management processes. Of that process, the Regulation mandates entities do the following:

• Put in place early warning indicators
• Establish procedures to identify, track, log, categorise, and classify ICT-related incidents according to priority and severity and the criticality of the services impacted
• Assign roles and responsibilities that need to be activated for different ICT-related incident types and scenarios
• Set out plans for communication to staff, external stakeholders, and media and for notification to clients, for internal escalation procedures, including ICT-related customer complaints, as well as for the provision of information to financial entities that act as counterparts
• Ensure that at least major ICT-related incidents are reported to relevant senior management and inform the management body of at least major ICT-related incidents, explaining the impact, response, and additional controls to be established as a result of such ICT-related incidents
• Establish ICT-related incident response procedures to mitigate impacts and ensure that services become operational and secure in a timely manner

Digital operational resilience testing requirements

Of course, these processes must all be tested to ensure they will hold up during an ICT-related incident. To that end, the Regulation lays out a host of testing requirements intended to ensure digital operational resilience.

The requirements include:

1. Establish, maintain, and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework, for the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies, and gaps in digital operational resilience, and of promptly implementing corrective measures
2. The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices, and tools to be applied.
3. Follow a risk-based approach duly considering the evolving landscape of ICT risk, any specific risks to which the financial entity concerned is or might be exposed, the criticality of information assets and of services provided, as well as any other factor the financial entity deems appropriate
4. Ensure that tests are undertaken by independent parties, whether internal or external
5. Establish procedures and policies to prioritise, classify, and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies, or gaps are fully addressed
6. Ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions

ICT third-party risk management requirements

As noted, the rationale for DORA comes from the clear emergence of ICT third-party risk as a key threat vector and challenge to digital operational resilience. But what is ICT third-party risk, exactly?

The Regulation defines ICT third-party risk as ICT risk that may arise due to ICT services provided by ICT third-party service providers or their subcontractors. 

How, then, does DORA propose to regulate ICT-third party risk. The Regulation does so through the imposition of the following ICT third-party risk management requirements:

1. Manage ICT third-party risk as an integral component of ICT risk within the entity’s ICT risk management framework and in accordance with the following principles:
   a. Financial entities that have in place contractual arrangements for the use of ICT services to run their business operations shall, at all times, remain fully responsible for compliance with, and the discharge of, all obligations under this Regulation and applicable financial services law.
   b. Financial entities’ management of ICT third-party risk shall be implemented in light of the principle of proportionality, taking into account:
    i. The nature, scale, complexity, and importance of ICT-related dependencies
    ii. The risks arising from contractual arrangements on the use of ICT services concluded with ICT third-party service providers, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and availability of financial services and activities, at individual and at group level
2. Adopt and regularly review a strategy on ICT third-party risk, as part of the entity’s ICT risk management framework, taking into account the multi-vendor strategy. The strategy on ICT third-party risk shall include a policy on the use of ICT services supporting critical or important functions provided by ICT third-party service providers and shall apply on an individual basis and, where relevant, on a sub-consolidated and consolidated basis. The management body shall, on the basis of an assessment of the overall risk profile of the financial entity and the scale and complexity of the business services, regularly review the risks identified in respect to contractual arrangements on the use of ICT services supporting critical or important functions.
3. Maintain and update at entity level and at sub-consolidated and consolidated levels, a register of information in relation to all contractual arrangements on the use of ICT services
   provided by ICT third-party service providers. 
   
   The contractual arrangements shall be appropriately documented, distinguishing between those that cover ICT services supporting critical or important functions and those that do not.
   
   Financial entities shall report at least yearly to the competent authorities on the number of new arrangements on the use of ICT services, the categories of ICT third-party service providers, the type of contractual arrangements and the ICT services and functions which are being provided.
   
   Financial entities shall make available to the competent authority, upon its request, the full register of information or, as requested, specified sections thereof, along with any information deemed necessary to enable the effective supervision of the financial entity. 
   
   Financial entities shall inform the competent authority in a timely manner about any planned contractual arrangement on the use of ICT services supporting critical or important functions as well as when a function has become critical or important.
4. Before entering into a contractual arrangement on the use of ICT services, financial entities shall:
   a. Assess whether the contractual arrangement covers the use of ICT services supporting a critical or important function
   b. Assess if supervisory conditions for contracting are met
   c. Identify and assess all relevant risks in relation to the contractual arrangement, including the possibility that such contractual arrangement may contribute to reinforcing ICT concentration risk
   d. Undertake all due diligence on prospective ICT third-party service providers and ensure throughout the selection and assessment processes that the ICT third-party service provider is suitable
   e. Identify and assess conflicts of interest that the contractual arrangement may cause.
5. Financial entities may only enter into contractual arrangements with ICT third-party service providers that comply with appropriate information security standards. When those contractual arrangements concern critical or important functions, financial entities shall, prior to concluding the arrangements, take due consideration of the use, by ICT third-party service providers, of the most up-to-date and highest quality information security standards.
6. In exercising access, inspection, and audit rights over the ICT third-party service provider, financial entities shall, on the basis of a risk-based approach, pre-determine the frequency of audits and inspections as well as the areas to be audited through adhering to commonly accepted audit standards in line with any supervisory instruction on the use and incorporation of such audit standards
7. Financial entities shall ensure that contractual arrangements on the use of ICT services may be terminated in any of the following circumstances:
   a. Significant breach by the ICT third-party service provider of applicable laws, regulations, or contractual terms
   b. Circumstances identified throughout the monitoring of ICT third-party risk that are deemed capable of altering the performance of the functions provided through the contractual arrangement, including material changes that affect the arrangement or the situation of the ICT third-party service provider
   c. ICT third-party service provider’s evidenced weaknesses pertaining to its overall ICT risk management and in particular in the way it ensures the availability, authenticity, integrity and, confidentiality, of data, whether personal or otherwise sensitive data, or non-personal data
   d. Where the competent authority can no longer effectively supervise the financial entity as a result of the conditions of, or circumstances related to, the respective contractual arrangement.
8. For ICT services supporting critical or important functions, financial entities shall put in place exit strategies. The exit strategies shall take into account risks that may emerge at the level of ICT third-party service providers, in particular a possible failure on their part, a deterioration of the quality of the ICT services provided, any business disruption due to inappropriate or failed provision of ICT services or any material risk arising in relation to the appropriate and continuous deployment of the respective ICT service, or the termination of contractual arrangements with ICT third-party service providers. 
9. The ESAs shall, through the Joint Committee, develop draft implementing technical standards to establish the standard templates for the purposes of the register of information, including information that is common to all contractual arrangements on the use of ICT services
10. The ESAs shall, through the Joint Committee, develop draft regulatory technical standards to further specify the detailed content of the policy in relation to the contractual arrangements on the use of ICT services supporting critical or important functions provided by ICT third-party service providers.

Implementation actions to take to ensure compliance

Given the extensive nature of DORA, regulated entities will have their hands full to ensure compliance when the Regulation comes into full force in January 2025. Nevertheless, they should consider this compliance process as an opportunity to up their digital operational resilience baseline, given the number of threats they face.

So, what actions should be taken? We recommend the following:

• Conduct a gap analysis of existing ICT risk management and governance practices.
• Increase resources dedicated to threat and incident detection as well as improve firm-wide ICT security awareness
• Understand your current incident reporting capabilities, including the capabilities to detect near-miss incidents, asking yourself whether you would be able to report significant incidents (including relevant details) within 48 hours
• Begin understanding the skills and capabilities required to shape and run resilience testing. For those familiar with the TIBER framework, consider a potential increase in frequency and scope of testingⁱⁱ.
• Start mapping of TPP contracts and connections as well as documenting and reviewing third-party vulnerabilities to help inform the development of a risk containment strategy.

Finally, DORA is here; and compliance will be needed in no time. As this guide has laid out, compliance will be complex, as the Regulation is expansive. Key to compliance, though, will be finding the appropriate systems, protocols, and tools for ICT risk and incident management. 

Reliable platforms like Noggin can help. They come equipped with sufficient capacity to accurately process necessary data and will remain technologically resilient, to adequately deal with additional information processing needs as required under adverse situations.

Sources

i. Sebastian Bruchwitz et al, JD Supra: Too Important To Fail? Further Light on When EU and Non-EU Technology Providers Will Become Subject To DORA. Available at https://www.jdsupra.com/legalnews/too-important-to-fail-further-light on-9895139/.

ii. Hugo Atzema and Noah Brandwijk, Deloitte: What can we expect from the Digital Operational Resilience Act? Available at https://www2.deloitte.com/nl/nl/pages/risk/articles/digital-operational-resilience-act.html