The Digital and Operational Resilience Act (DORA)

The Digital and Operational Resilience Act (DORA)

The Digital and Operational Resilience Act (DORA), is a new Regulation that introduces new powers for the European Supervisory Authorities (ESAs) towards Critical ICT Third-Party service providers to individually monitor the risks deriving from the dependence of financial entities on ICT service providers. ICT Third-party service providers (TPP) will be considered critical, and therefore subject to individual regulatory oversight, based on predefined criteria or opting-in on a voluntary basis.

DORA was introduced on 15 January 2023 with a two-year period of adherence. By January 2025, organisations in scope will have to be in a position to meet the requirements of the Regulation. Such requirements would include.

1. Enhancing and streamlining financial entities’ conduct of operational risk management including operational resilience.
2. Increase supervisors’ awareness of cyber risks and ICT-related incidents faced by financial entities.
3. Establish a thorough testing of ICT systems and resilience.
4. Introduce powers for financial supervisors to oversee risks stemming from financial entities’ dependency on ICT third-party service providers.

DORA takes a Proportionality-based approach to best tailor and properly design the DORA rules, based on the size, business complexity, and risk profile of financial institutions.  However, some directives will be systematically required for financial entities not qualifying as micro-enterprises or only financial entities identified as significant.

The Regulation will bring Convergence with existing guidelines to provide consistent unified guidelines aligned with EU policy relying on existing EBA/EIOPA guidelines and outsourcing regulatory frameworks, to enable addressing operational risks in a consistent way and reduce compliance burden and costs. This approach will be supported by High-level Directives using Principle-based guidelines, that will be technology agnostic to be applicable to all financial institutions, and adaptable and flexible in the context of changing environment. DORA will thus provide Holistic guidelines to empower the operational resilience risk function across the entire organization, from business strategy to operational processes and external providers.

DORA will be a seismic shift in the market, not only for Financial Services but also for third-party providers in ICT for example. Key impacts include:

• Harmonization of key elements of relationships with ICT third-party service providers throughout all stages of contractual arrangements
• Standard contractual clauses will be required to contain a complete description of services.
• Third-party service providers designated as critical (CTPPs) by the ESAs, should be subject to an oversight framework. The ESAs designated as lead overseers should ensure that each such CTPP is adequately monitored.

To meet the requirements of DORA, it would be suggested that now is the time to assess where your organisation stands in terms of compliance with the new standard.

Author:

Neil Redmond, Director of Cyber Security, PWC  (BEng 1997, MBA 2004)