Regulation (EU) 2022/2554, known as the Digital Operational Resilience Act (DORA), is a regulation aimed at fortifying the digital operational resilience of financial entities across the European Union. The DORA entered into force in January 2023, and financial institutions will be expected to comply with the regulation as of January 2025.
One of DORA’s key objectives is to strengthen financial entities’ operational resilience by ensuring prudent risk management of a broad range of information technology and communication (ICT) services. The DORA Regulation applies to a wide range of financial institutions, including but not limited to payment institutions, electronic money institutions, investment firms, management companies, credit institutions, insurance and reinsurance undertakings, crowdfunding service providers, crypto-asset service providers licensed under the MiCA Regulation.
One key provision of DORA requires a company’s management board to take an active role. This includes defining, approving, and overseeing all aspects of the ICT risk management framework. The leadership’s involvement is not merely procedural—it is intended to ensure that ICT risks are treated as strategic business risks, requiring attention at the highest level.
Main Areas of Focus in Preparing for DORA
1. ICT Risk Management
Institutions must build a comprehensive governance and management framework that clearly understands ICT risks. This also means that policies should be regularly updated to reflect the evolving nature of cyber threats and emerging technologies.
2. ICT-Related Incident Reporting
The DORA Regulation introduces stringent requirements for reporting ICT incidents. Financial entities must implement robust monitoring and reporting systems to ensure that incidents are identified, managed, and reported to the regulator in a timely manner.
3. Digital Operational Resilience Testing
Regular testing of digital systems is essential to ensure resilience. Financial entities, other than microenterprises, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions.
4. ICT Third-Party Risk Management
DORA emphasizes the need for thorough oversight of third-party ICT service providers. Financial institutions remain fully responsible for their digital resilience, even when relying on external ICT providers.
Recommendations of ECOVIS ProventusLaw
- GAP Analysis:
– Conduct a thorough assessment of your current compliance status. DORA is not merely a box-ticking exercise—it’s about ensuring operational robustness in the face of growing digital risks. Identifying and addressing gaps now will prevent future disruptions.
- ICT Third-Party Risk Management:
– Given the increasing reliance on external ICT providers, financial entities must prioritize third-party risk management. Ensuring that contracts meet DORA’s requirements and regularly reviewing third-party arrangements will be crucial to maintaining resilience.
- Governance:
– Strong internal governance is essential for compliance. Organizations should ensure that roles and responsibilities related to ICT risk management are clearly defined, with the management board actively involved in overseeing the implementation of DORA-related measures.
- ICT Risk Management Framework:
– This is the backbone of DORA compliance. Financial institutions should review and update their ICT strategies, policies, and procedures to align with the requirements of the regulation. Special focus should be placed on updating resilience strategies, ensuring they are robust and adaptable in the face of potential disruptions.
- Digital Operational Resilience Testing:
– Regular testing ensures that both internal and third-party systems are prepared for any operational disruptions, and continuous improvements based on test results are essential to maintaining long-term digital resilience. Ensure testing extends to third-party ICT providers. Under DORA, you are accountable for the resilience of your third-party providers, so their systems should undergo the same level of scrutiny as your own.
If you’re unsure of what DORA is or how your organisation should be preparing for it, do not hesitate to contact us.