The digital revolution
Digitisation has been a real game changer for financial institutions. It has been a catalyst for the creation of innovative, competitive new products and services. Moreover, customer expectations have grown such that they expect to access digital financial services 24/7, using multiple channels; anytime anywhere.
The biggest disruptors to this digital utopia are cyberattacks, data breaches and information and communication (ICT) risks faced by financial institutions. A series of high-profile outages and business disruptions at European banks in recent years have highlighted the lack of financial institution resilience. To mitigate these challenges, the European Council has created the Digital Operational Resilience Act (DORA).
DORA: Its Purpose and the “Five Pillars”
The aim of the Digital Operational Resilience Act (DORA) is to help financial institutions mitigate ICT risk and to increase the stability, security and consumer confidence of the European Union financial sector. The European Council has been a key orchestrator of the regulation by consolidating and harmonising existing national regulations to instil more robust operational resilience across the financial sector.
From 17 January 2025, 22,000 financial entities and ICT service providers operating in the EU will need to comply with DORA’s detailed framework for managing ICT risk. This includes non-EU firms who have trading branches in the EU. The regulation addresses five areas, often referred to as the “five pillars”.
1. ICT Risk Management Framework – organisations are required to identify, assess, and mitigate risks associated with their ICT systems, within their overarching risk management framework.
2. ICT-related Incidents Management, Classification and Reporting – emphasises the need for an organised approach to managing ICT-related incidents throughout their lifecycle. Organisations are required to establish mechanisms for identifying incidents and classifying them according to their impact. Notably, detailed reporting of incidents to regulators is mandated.
3. Digital Operational Resilience Testing – testing is required to verify the effectiveness of digital resilience strategies to ensure their sufficiency. This provides confidence that ICT systems and the client services they support can withstand and recover from events e.g., cyber-attacks.
4. ICT-Third Party Risk Management – organisations are expected to conduct thorough due diligence on third-party service providers to ensure the whole supply chain contributes positively to an organisation’s overall operational resilience.
5. Information and Intelligence Sharing – encourages the sharing of information and intelligence related to cyber threats and vulnerabilities. This helps foster a collaborative environment which spreads best practices for the greater good of the financial sector.
How to prepare for DORA
It will come as a relief to CISOs / Heads of Operational Resilience that DORA’s requirements are generally consistent with other operational resilience regulations and best practice. Despite this, for many financial institutions, there may be significant changes to make to their digital operational resilience processes and reporting within a short period of time.
We recommend the following three steps to prepare for DORA:
1. Assess the gaps between your existing digital operational resilience processes and external reporting with the new DORA requirements. The new DORA requirements will involve processes and reporting from multiple disciplines including Operational Resilience, Enterprise Risk Management, Information Security and Third-Party Risk Management. It’s likely that you already have existing frameworks or solutions in place. Ask key questions about them in light of DORA, including:
-
- Does your Operational Resilience solution provide for robust resilience test planning and execution?
- Does your ERM solution explicitly cater for ICT risks?
- Does your Information Security solution support the advanced management and reporting of incidents mandate by the Act?
- Does your Third-Party Risk Management solution support the Act's new Register of Information requirements for third parties?
2. Create a cross-functional team of stakeholders. DORA requirements will affect multiple departments within an organisation and therefore organisations may consider creating a cross functional project team of stakeholders. The team will typically include: a CISO, Head of Operational Resilience, Regulatory Compliance, Corporate (crisis) Communications and depending on the size of an organisation and its operational resilience maturity, the project may be led by a Change Management agent.
3. Determine whether you have the right software in place to help you effectively execute on DORA requirements. Ask key questions such as does your software able to provide a holistic solution that supports all DORA stakeholders? Can you fulfil all the required DORA reporting requirements? How quickly can you implement a new solution in time for the regulatory deadline?
How Decision Focus can help financial entities meet the January 2025 deadline
Decision Focus is modern cloud-based GRC software which can help organisations meet the complex process and reporting requirements of DORA. Our solution provides DORA project teams with a central repository of required DORA data for real-time performance monitoring, exception reporting and streamlined auditing. Decision Focus has four modules that collectively meet the new DORA requirements: Enterprise Risk Management, Operational Resilience, Third Party Risk Management and Information Security Management. Importantly because they all operate on the same integrated assurance platform using a single, shared repository, we provide the holistic DORA solution that serves all stakeholders simultaneously. This helps to remove silos between departments whilst controlling data sharing. Because Decision Focus provides a SaaS solution, it places no burden on your organisation’s IT resources and means you can implement our DORA solution within weeks, not months.