Exploring DORA: What the Digital Operational Resilience Act spells for financial services
Over the course of the last decade, technology adoption has accelerated across the financial services sector. From investments, to banking and tax, many services are now delivered digitally or are supported by ICT infrastructure.
For all the benefits this brings – efficiency and cost savings amongst them – the sheer scale and speed of this digital transformation has multiplied operational risks across the industry. Should a critical part of ICT infrastructure fail – say, a bank’s cloud provider goes offline for 24 hours – the consequences could be vast.
In the face of these evolving technology-based risks, the operational resilience of the financial services sector has been a key focus for regulators. One of the most comprehensive examples of this comes in the form of the Digital Operational Resilience Act (DORA), officially adopted by the European Union in January 2023.
Affected firms have until January 2025 to be fully compliant with DORA. Though it is EU legislation, given that many affected UK organisations work within the EU, DORA will likely apply. UK organisations will therefore need to prepare to comply with its guidance.
So, what does the act involve, and how can affected organisations prepare?
What is DORA?
DORA has been established to ensure digital resilience is embedded throughout the financial services sector. Its focus is on addressing risks posed by the industry’s reliance on third party ICT providers, and making sure affected organisations can withstand digital disruption.
The act is far-reaching. It applies to credit, payment and e-money institutions, investment firms, crypto-asset providers, central securities depositories, crowdfunding providers and ICT third-party providers, to name a few.
It essentially encourages a uniform approach to the security of network and IT systems that are involved in the operation of financial services. This includes:
- 1. ICT risk management: DORA mandates that affected organisations must have an internal framework in place to properly manage ICT risk. This will be overseen by management, responsible for approving
- 2. Managing ICT third parties: The act was introduced to account for the financial services sectors’ reliance on third party providers of ICT services. It therefore strongly encourages those who are responsible for ICT risk management to review and account for third party risks.
- 3. Reporting major incidents: Though DORA’s focus is on mitigating risk, it also mandates guidance for when incidents, such as cyber attacks, occur. This includes having specific incident reporting processes, which covers how to respond to, identify, document and action said incidents, to help increase resilience.
- 4. Resilience testing: The act emphasises the importance of digital resilience testing for key ICT systems and processes to ensure they can withstand threats or disruption. As part of DORA’s mandate, affected organisations will need to create and embed a comprehensive resilience testing framework, that covers how to identify risks and deficiencies, and the measures to take to address these.
DORA represents a significant step change for how many organisations across financial services will approach ICT risk management – so it’s important to prepare. This is particularly crucial when you consider the impact of non-compliance. Regulators may order organisations to cease specific activities or discontinue using certain third-party ICT providers, disrupting operations further. Noncompliant organisations may also face financial penalties, depending on the local regulatory body: potentially fines valued at 1% of the average daily worldwide turnover in the preceding business year.
How can organisations ensure DORA compliance?
A pragmatic first step? Gather relevant people and teams from across the organisation – whether
CISO, CIO, IT or risk management leads – to pull together a plan for implementing any new infrastructure. Organisations will likely have to undertake a comprehensive review of existing infrastructure and processes – whether that’s for incident reporting, resilience testing or third party services – to map
out where improvements should be made in line with DORA’s requirements. This includes how to identify, classify and document all potential ICT risks, and compiling comprehensive business continuity plans, including ICT disaster recovery and communication plans. These will need to be regularly tested, with risk assessments performed at least once a year – or in response to incidents,
resilience testing, audit findings, supervisory instructions, or significant changes to ICT systems. As the industry strives to comply with DORA and fortify their operational resilience, technology itself emerges as a key enabler of this: whether cloud computing, backup and disaster recovery systems, or cyber security software. By adopting secure and flexible technology solutions, affected
organisations can protect critical data and systems, and navigate disruptions with confidence. Though DORA compliance is a major undertaking, it is a necessary – and legislatively enforced – one. By having a laser focus on digital resilience, we can build a financial services sector that is built to withstand modern, evolving risks and be fit for the future.