Background
In November 2022, the European Union (EU) adopted the Digital Operational Resilience Act, an innovative regulatory framework that addresses risks posed by the digital transformation of financial services, as well as the increase in volume and severity of cyber attacks within the sector.
DORA has been formally adopted, and the regulation enters into force on 16 January 2023. In short, DORA targets businesses and organisations that operate in the financial sector, as well as critical third parties that offer ICT-related services to financial entities. With a relatively tight preparation and implementation period of 24 months, financial entities will be expected to be compliant with the regulation by 17 January 2025.
Competent authorities of the Member States will ensure compliance oversight and enforce the regulation, where necessary through administrative penalties and remedial measures on members of the management body of the financial entity in question.
Who is impacted?
More than 22,000 financial institutions and ICT service providers based in the EU will be subject to DORA. In short, all financial market participants - including banks, investment companies, insurance companies and intermediaries, data reporting providers, and cloud service providers - will be subject to the regulatory framework introduced by DORA.
Banks/Payments and emoney providers
Insurance providers
Reinsurance providers
Capital markets entities
Brokers/CSDs/CCPs
Investment firms/Pension Funds
Credit Institutions/Credit rating agencies
Cloud providers/SaaS/Outsourcers
Software providers
Critical ISV and systems integration providers
Fraud management providers
Penetration testing providers
Collaborative tools providers
Data storage solution providers
Information management systems/CRM solution providers
Payment solutions providers
When will DORA impact my organisation?
Now that DORA is officially adopted, financial entities will need to consider, implement and comply with numerous binding obligations in the years to come. The following timeline outlines the key phases in the development and enforcement of DORA.
On 24 September 2020, the European Commission published its proposal for a Digital Operational Resilience Act (DORA) as part of the wider Digital Finance Package (DFP).
Following the publication of the proposal, the co-legislators - the European Parliament and Council of the European Union - started negotiations on their respective DORA approaches, after which technical and political trilogues were started between them.
The European Council adopted DORA on 28 November 2022, after the European Parliament voted in favour of the act on 10 November.
DORA enters into force in Q1 2023 after its publication in the Official Journal of the European Union.
The first regulatory and implementing technical standards (RTS and ITS) should be developed by the European Supervisory Authorities (ESAs) during 2023.
Multiple RTS and ITS will be defined and communicated by the ESAs, to provide financial entities with technical specifications and guidance on how to implement specific DORA provisions.
While DORA requirements are applicable from the entry into force of the Regulation, they are enforceable by early 2025. During this preparation period of 24 months, financial entities are expected to work towards full compliance.
What is digital operational resilience?
DORA introduces a five-pillar framework of ICT Risk Management, Incident Reporting, Operational Resilience Testing, Third-Party Risk Management (TPRM) and information-sharing, ensuring a consistent provision of services across the entire digital value chain.
- ICT risk management framework
- ICT incident classification and reporting
- Operational resilience testing
- Third-party risk management
- Cyber threat intelligence and information sharing
ICT risk management framework
Under DORA, financial entities are required to set up a comprehensive ICT Risk Management Framework (ICT-RMF), which is based on key performance indicators and risk metrics which are continuously monitored.
As part of the ICT-RMF, financial entities must:
Set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk.
Map their ICT assets and dependencies, as well as identify "Critical or Important Functions" (CIFs).
Establish dedicated and comprehensive Business Continuity Management (BCM) and Disaster Recovery (DR). While many financial entities might have such plans already in place, the regulatory requirements of DORA will increase supervisory pressure to develop more complex BCM/DR scenario-testing and incorporate redundancy and substitutability into the CIFs.
In order to meet these requirements, financial entities will need to expand their existing resilience capabilities, clearly articulate their risk appetite for disruption across CIFs and adequately understand the interconnections between their delivery services and their ICT assets, processes and systems.
ICT incident classification and reporting
Under DORA, financial entities will be subject to a novel classification, notification and reporting framework that will challenge existing collection, analysis and escalation processes within financial entities.
As part of this novel framework, financial entities must:
Develop a streamlined process to record and classify all significant ICT incidents, which will require mature incident management capabilities in order to monitor, handle and resolve all incidents.
Assess the quantitative impact of all ICT incidents and analyse their root causes.
Notify clients and other financial entities in the event of a significant ICT incident and provide them with information on appropriate protection measures.
Submit an initial, intermediate and final report to their competent national authorities on ICT-related incidents. DORA does not define the reporting deadlines but delegates this to the European Supervisory Authorities (ESAs), which will specify common technical standards regarding incident reporting.
Operational resilience testing
DORA establishes digital operational resilience testing (ORT) requirements for financial entities, which will have to:
Annually conduct advanced security and resilience tests on critical ICT systems and applications.
Promptly eliminate any vulnerabilities, deficiencies or gaps through the implementation of mitigating measures.
Periodically conduct advanced Threat-Led Penetration Testing (TLPT) for CIFs. ICT third-party service providers are required to participate and fully cooperate in such activities, something that is rarely done in exercises today.
In combination with the stringent BCM/DR requirements, ORT could evolve into a significant area of supervisory scrutiny and force financial entities to develop broader and more accurate testing and scenario analysis capabilities.
Third-party risk management
Under DORA, financial entities are legally obliged to implement TPRM requirements, including:
Conduct concentration risk assessments of all outsourcing contracts that support the delivery of CIFs.
Ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details and binding contractual terms.
Critical ICT third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified ICT risks.
Ensuring TPRM across their digital value chains will be a challenging task for financial entities and a comprehensive Supply Chain Resilience Framework could therefore become an area of increased supervisory scrutiny.
Cyber threat intelligence and information sharing
DORA allows financial entities to set up arrangements amongst themselves in order to exchange cyber threat information, in line with the existing TIBER-EU framework. The supervisory authority will provide relevant anonymised information and intelligence on cyber threats to financial entities. As such, financial entities should implement mechanisms to review and take action on the information shared by the authorities.
How can PwC assist your organisation?
PwC can assist your organisation along the entire resilience journey towards compliance with DORA, from the assessment of your current readiness through to assisting you in the implementation of measures to meet the regulatory requirements and embed those in your risk, security, resilience and compliance management.
Now that DORA is adopted, financial entities need to seriously plan for the task of implementing the regulation. Getting a head start will allow organisations to timely identify any areas that require substantial investment and prioritisation.
While DORA aims at harmonising cybersecurity regulatory frameworks for the financial sector within the EU, many of its requirements were already introduced in existing (national) regulations and guidelines within the financial sector. A study by the Carnegie Endowment confirms this and praises the harmonised and comprehensive framework proposed by DORA to address shortcomings in overlapping regulatory systems.
That being said, as always, the devil is in the details and it will be essential for all financial entities to undertake a gap assessment and establish a strategy to achieve compliance within the 24-month preparation period.
Finance has not only become largely digital throughout the whole sector, but digitalisation has also deepened interconnections and dependencies within the financial sector and with infrastructure and service providers.
A new element that is introduced by DORA is the scrutiny on ICT third-party service providers, whereby supervisory authorities are now mandated to address operational risks directly with (critical) third-party service providers.
This constitutes an opportunity and a challenge for ICT third-party service providers to enhance the resilience of their services, requires financial entities to thoroughly assess their dependencies with third-party providers and develop more sophisticated methods to test and monitor their resilience.
Get the latest FS news
Sign up for our newsletter
Contact us
