The Digital Operational Resilience Act (DORA) is new EU legislation which aims to achieve a high common level of digital operational resilience in the financial services sector across all Member States. It has broad geographic jurisdiction, applying both to firms that have offices in the EU, as well as those that provide services to a financial institution which provides services in the EU.
Acting similarly to the UK government framework described in the “Financial Services and Markets Bill”, DORA applies to a wide range of financial entities, such as banks, insurers and investment firms, and also to their critical technology suppliers, bringing IT firms within the remit of financial regulators for the first time. The imperative for DORA is clear: to improve resilience against cyber attacks within a financial industry that is increasingly dependent on digital technology. As digital transformation takes hold, firms are increasingly vulnerable to failure in the event of a serious cyber attack - which would lead to problems not just for themselves but for the wider economic ecosystem too.
Alarmingly for many firms, time is running out to be compliant. DORA entered into force in January 2023 and must be applied by 17 January 2025, with significant penalties for compliance failures. Non-compliant third-party IT service providers face potential fines of up to 1% of the business’s daily global turnover. These fines can be applied daily until firms reach compliance. Penalties for financial institutions are to be set by the individual territories in which they reside and have the potential to be even larger. Reputational damage and erosion of customer trust could be even more costly.
Preparing for DORA
The scope of DORA is exceptionally broad, and many firms will need to address a number of considerations in order to achieve compliance.
Firstly, a lot of firms do not possess the capabilities to comprehensively and systematically assess cyber incidents, as well as analyse their root cause. This is a problem because, under DORA, firms will have to set out how they are monitoring and managing the vulnerability of their IT assets on an ongoing basis. Remedying the shortfall between the two is not straightforward.
Secondly, they will need to address risk management. The risk management regime in DORA requires firms to have robust and resilient processes for managing their IT assets. But many organisations currently lack a clear view of what those assets include. Visibility of the endpoints in their systems has diminished over time as their networks have expanded and become more complex – and as staff have moved to remote working.
DORA introduces a new set of rules regarding the sharing of threat intelligence, requiring firms to notify the European Supervisory Authorities with the details of intelligence-sharing arrangements within strict timeframes. Again, non-compliant firms could face financial penalties or regulatory action.
Finally, there is a requirement for firms to implement a testing programme that demonstrates their IT systems are operationally resilient. Under some circumstances, testing must be undertaken by an independent party for financial entities. In others, certain financial institutions must carry out advanced testing of their ICT tools, systems and processes at least every three years using threat-led penetration tests. This will be a challenge for many firms, as very few organisations have penetration testing programs that satisfy the breadth of testing required by DORA (which can often include testing of third-party IT service providers which service financial entities).
Given the work involved to achieve compliance, time is running out fast. Many firms will need to complete remedial work to close gaps, and move to cyber solutions that provide the level of functionality required by DORA. Financial services firms must also be confident in their third-party suppliers, as DORA places an onus on financial institutions to ensure their entire supply chain is compliant with the regulation.
DORA and UK legislation
Given the broad scope of the act, some overlap exists between DORA and UK legislation. Both prescribe the identification of critical business services firms provide, third-party risk management as well as testing requirements.
However, UK legislation has a wider scope when addressing operational resilience, encompassing elements beyond the technological aspect addressed by DORA. Both systems also differ in the way impact tolerances (the maximum length of time a disruption of a critical business service can be tolerated) should be reported, with UK legislation requiring more granular reporting of critical functions and services.
First steps for firms
Firms should start by conducting a comprehensive gap assessment that identifies areas which require further investment and maturity. Given that DORA is far-reaching and highly prescriptive, the biggest challenge for firms will be to work out what their requirements are, and how long it will take them to make the changes necessary to achieve compliance. Financial firms should also begin creating a detailed register of information on their IT-related third parties, which is required by DORA. This can be used to help identify areas of non-compliance throughout the supply chain, so decisions can be made on what to do next.
With just over one year to go, the time to act is now.
More information
Read Mazars’ latest report, Future-proofing cyber security in an increasingly digital world, for an in-depth guide on how to understand and mitigate cyber risks.