In November 2022, the European Union (EU) adopted the Digital Operational Resilience Act, an innovative regulatory framework that addresses risks posed by the digital transformation of financial services, as well as the increase in volume and severity of cyber attacks within the sector.
DORA has been formally adopted, and the regulation enters into force on 16 January 2023. In short, DORA targets businesses and organisations that operate in the financial sector, as well as critical third parties that offer ICT-related services to financial entities. With a relatively tight preparation and implementation period of 24 months, financial entities will be expected to be compliant with the regulation by 17 January 2025.
Competent authorities of the Member States will ensure compliance oversight and enforce the regulation, where necessary through administrative penalties and remedial measures on members of the management body of the financial entity in question.
More than 22,000 financial institutions and ICT service providers based in the EU will be subject to DORA. In short, all financial market participants - including banks, investment companies, insurance companies and intermediaries, data reporting providers, and cloud service providers - will be subject to the regulatory framework introduced by DORA.
Banks/Payments and emoney providers
Insurance providers
Reinsurance providers
Capital markets entities
Brokers/CSDs/CCPs
Investment firms/Pension Funds
Credit Institutions/Credit rating agencies
Cloud providers/SaaS/Outsourcers
Software providers
Critical ISV and systems integration providers
Fraud management providers
Penetration testing providers
Collaborative tools providers
Data storage solution providers
Information management systems/CRM solution providers
Payment solutions providers
Now that DORA is officially adopted, financial entities will need to consider, implement and comply with numerous binding obligations in the years to come. The following timeline outlines the key phases in the development and enforcement of DORA.
DORA introduces a five-pillar framework of ICT Risk Management, Incident Reporting, Operational Resilience Testing, Third-Party Risk Management (TPRM) and information-sharing, ensuring a consistent provision of services across the entire digital value chain.
Under DORA, financial entities are required to set up a comprehensive ICT Risk Management Framework (ICT-RMF), which is based on key performance indicators and risk metrics which are continuously monitored.
As part of the ICT-RMF, financial entities must:
Set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk.
Map their ICT assets and dependencies, as well as identify "Critical or Important Functions" (CIFs).
Establish dedicated and comprehensive Business Continuity Management (BCM) and Disaster Recovery (DR). While many financial entities might have such plans already in place, the regulatory requirements of DORA will increase supervisory pressure to develop more complex BCM/DR scenario-testing and incorporate redundancy and substitutability into the CIFs.
In order to meet these requirements, financial entities will need to expand their existing resilience capabilities, clearly articulate their risk appetite for disruption across CIFs and adequately understand the interconnections between their delivery services and their ICT assets, processes and systems.
Under DORA, financial entities will be subject to a novel classification, notification and reporting framework that will challenge existing collection, analysis and escalation processes within financial entities.
As part of this novel framework, financial entities must:
Develop a streamlined process to record and classify all significant ICT incidents, which will require mature incident management capabilities in order to monitor, handle and resolve all incidents.
Assess the quantitative impact of all ICT incidents and analyse their root causes.
Notify clients and other financial entities in the event of a significant ICT incident and provide them with information on appropriate protection measures.
Submit an initial, intermediate and final report to their competent national authorities on ICT-related incidents. DORA does not define the reporting deadlines but delegates this to the European Supervisory Authorities (ESAs), which will specify common technical standards regarding incident reporting.
DORA establishes digital operational resilience testing (ORT) requirements for financial entities, which will have to:
Annually conduct advanced security and resilience tests on critical ICT systems and applications.
Promptly eliminate any vulnerabilities, deficiencies or gaps through the implementation of mitigating measures.
Periodically conduct advanced Threat-Led Penetration Testing (TLPT) for CIFs. ICT third-party service providers are required to participate and fully cooperate in such activities, something that is rarely done in exercises today.
In combination with the stringent BCM/DR requirements, ORT could evolve into a significant area of supervisory scrutiny and force financial entities to develop broader and more accurate testing and scenario analysis capabilities.
Under DORA, financial entities are legally obliged to implement TPRM requirements, including:
Conduct concentration risk assessments of all outsourcing contracts that support the delivery of CIFs.
Ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details and binding contractual terms.
Critical ICT third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified ICT risks.
Ensuring TPRM across their digital value chains will be a challenging task for financial entities and a comprehensive Supply Chain Resilience Framework could therefore become an area of increased supervisory scrutiny.
DORA allows financial entities to set up arrangements amongst themselves in order to exchange cyber threat information, in line with the existing TIBER-EU framework. The supervisory authority will provide relevant anonymised information and intelligence on cyber threats to financial entities. As such, financial entities should implement mechanisms to review and take action on the information shared by the authorities.
PwC can assist your organisation along the entire resilience journey towards compliance with DORA, from the assessment of your current readiness through to assisting you in the implementation of measures to meet the regulatory requirements and embed those in your risk, security, resilience and compliance management.