In November 2022, the European Union (EU) adopted the Digital Operational Resilience Act (DORA) – an innovative regulatory framework that addresses risks posed by the digital transformation of financial services as well as the increase in volume and severity of cyber attacks within the sector. DORA has since been formally adopted and entered into force at the start of 2023.
DORA targets businesses and organisations that operate in the financial sector as well as critical third parties that offer information and communication technology (ICT)-related services to financial entities. With a relatively tight preparation and implementation period of 24 months, financial entities will be expected to be compliant by Q4 2024.
Competent authorities of the Member States will ensure compliance oversight and enforce the regulation, where necessary through administrative penalties and remedial measures on members of the management body of the financial entity in question.
More than 22,000 financial institutions and ICT service providers based in the EU will be subject to DORA. All financial market participants including banks, investment companies, insurance companies and intermediaries, as well as data reporting providers and cloud service providers, will be subject to the regulatory framework introduced by DORA.
Insurance providers
Reinsurance providers
Capital markets entities
Brokers/CSDs/CCPs
Investment firms/Pension Funds
Credit Institutions/Credit rating agencies
Software providers
Critical ISV and systems integration providers
Fraud management providers
Penetration testing providers
Collaborative tools providers
Data storage solution providers
Information management systems/CRM solution providers
Payment solutions providers
DORA officially entered into force in 2023 after its adoption and publication in the Official Journal of the European Union.
The draft technical standards, which include Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS), are currently being developed by the European Supervisory Authorities (ESAs). These include stringent requirements on key areas of compliance including ICT and third-party risk management, incident classification and reporting. Three RTSs from the first deadline have already been approved by the European Commission. The final version is expected to be published in the Official Journal later this year.
As we are officially in the DORA applicability period of 24 months, before the official enforcement in 2025, financial entities have to implement and comply with a large number of binding obligations. The following timeline outlines the key phases in the development and enforcement of DORA.
DORA introduces a five-pillar framework of ICT Risk Management, Incident Reporting, Operational Resilience Testing, Third-Party Risk Management (TPRM) and information-sharing, ensuring a consistent provision of services across the entire digital value chain.
Under DORA, financial entities are required to set up a comprehensive ICT Risk Management Framework (ICT-RMF), which is based on key performance indicators and risk metrics which are continuously monitored.
As detailed in the draft RTS, as part of the ICT-RMF, financial entities must:
Set up and maintain resilient ICT security policies, procedures, protocols and tools that minimise the impact of ICT risk.
Set up a coherent human resources policy, as well as identity management and access control systems.
Develop mechanisms enabling a prompt detection of anomalous activities with the potential of becoming ICT-related incidents.
Map their ICT assets and dependencies as well as identify ‘Critical or Important Functions’ (CIFs).
Establish dedicated and comprehensive Business Continuity Management (BCM) and Disaster Recovery (DR). While many financial entities might have such plans already in place, the regulatory requirements of DORA will increase supervisory pressure to develop more complex BCM/DR scenario-testing and incorporate redundancy and substitutability into the CIFs.
Continuously document and review the entire ICT-RMF.
In order to meet these requirements, financial entities will need to expand their existing resilience capabilities, clearly articulate their risk appetite for disruption across CIFs and adequately understand the interconnections between their delivery services and their ICT assets, processes and systems.
Under DORA, financial entities will be subject to a novel classification, notification and reporting framework on ICT-related incidents that will challenge existing collection, analysis and escalation processes within financial entities.
As part of this novel framework and in line with the draft RTS, financial entities must:
Develop a streamlined process to record and classify all major ICT-related incidents and significant cyberthreats which require mature incident management capabilities in order to monitor, handle and resolve all incidents.
Assess the quantitative impact of all ICT incidents and analyse their root causes.
Notify clients and other financial entities in the event of a major ICT-related incident and provide them with information on mitigation measures. In the case of significant cyberthreats, financial entities shall inform clients who might be affected and provide information on appropriate protection measures.
Submit an initial, intermediate and final report to their competent national authorities on major ICT-related incidents.
DORA delegates the definition of classification and reporting to the European Supervisory Authorities (ESAs), which are currently in the process of developing common technical standards.
DORA establishes digital operational resilience testing (ORT) requirements for financial entities, which will have to:
Annually conduct advanced security and resilience tests on critical ICT systems and applications, especially on those supporting critical or important functions.
Promptly eliminate any vulnerabilities, deficiencies or gaps through the implementation of mitigating measures.
Periodically (at least every 3 years) conduct advanced Threat-Led Penetration Testing (TLPT) for CIFs. ICT third-party service providers supporting such functions are required to participate and fully cooperate in these activities, something that is rarely done in exercises today.
In combination with the stringent BCM/DR requirements, ORT could evolve into a significant area of supervisory scrutiny and force financial entities to develop broader and more accurate testing and scenario analysis capabilities. Further requirements for identifying financial entities required to perform TLPT, testing scope, methodology and results will be detailed in the upcoming set of RTS on TLPT.
Under DORA, financial entities are legally obliged to implement TPRM requirements, including:
Conduct concentration risk assessments of all outsourcing contracts that support the delivery of CIFs.
Ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details and binding contractual terms.
Critical ICT third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified ICT risks.
Ensuring TPRM across their digital value chains will be a challenging task for financial entities and a comprehensive Supply Chain Resilience Framework could therefore become an area of increased supervisory scrutiny.
DORA allows financial entities to set up arrangements amongst themselves in order to exchange cyberthreat information, in line with the existing TIBER-EU framework. The supervisory authority will provide relevant anonymised information and intelligence on cyberthreats to financial entities. As such, financial entities should implement mechanisms to review and take action on the information shared by the authorities.
PwC can assist your organisation along the entire resilience journey towards compliance with DORA, from the assessment of your current readiness through to assisting you in the implementation of measures to meet the regulatory requirements and embed those in your risk, security, resilience and compliance management.