6 minute read 14 Dec 2022

How to prepare for the Digital Operational Resilience Act?

Authors
Sylvie Goethals

EY Belgium Financial Services Risk Partner

Dedicated to Financial Services. Focused on quality in delivery and client satisfaction.

Borja Bosch

EY Belgium Technology Risk Advisory Senior Manager, Financial Services

Experienced in technology governance and digital transformation. Dedicated to innovation and sustainability. Passionate about History.

6 minute read 14 Dec 2022

Show resources

The European Parliament has approved the Digital Operational Resilience Act (DORA), which will enter into force in 2025.

In brief:

  • DORA will require financial services to embed digital resilience on all levels of their operations, based on six pillars
  • It is urgent to perform a gap assessment and to prepare a roadmap to get into compliance.

On November 10th, 2022, the Digital Operational Resilience Act (DORA) was approved at the European Parliament’s plenary session. Once implemented, it will make the compliance and regulatory landscape of the financial services (FS) sector more homogenous with regards to digital resilience, the management of ICT-related risks and cyberthreats.

DORA will require companies to focus on a Digital Resilience Strategy accompanied by a Digital Resilience Framework. This englobes all the transversal activities of the business. Therefore, it requires an end-to-end view of the entire ICT landscape that supports critical business functions, as well as a mature approach to business continuity, incident management and third-party risk.

How exactly will this affect  FS and the professional services delivered to the industry? How will it shape the market and impact its actors? And more importantly, what can you do to prepare for such a demanding change?

A shift from compliance to a “risk-centric approach"

The main purpose of the text is to make sure digital resilience policies and frameworks, as well as their governance be integrated into an overarching Digital Resilience Strategy at an institution-wide level. This calls for a shift in responsibilities. CEOs and the Executive Committee are now the main people responsible and accountable to define this strategy. Therefore, they should prioritize Digital Resilience as a key element on their upcoming roadmaps and agendas as this requires major coordination between all departments within institutions and cannot be achieved overnight.

To ensure digital resilience, the regulatory text foresees six crucial pillars to cover:

  • Governance & Organization
  • ICT Risk Management Framework
  • ICT Incident Management, Classification & Reporting
  • Digital Operational Resilience Testing
  • Third-Party Provider Risk Management
  • Information Sharing

For each of these areas, DORA includes specific requirements that need to be embedded into the company’s three Ps (People, Processes & Products) on a transversal level. This will require institutions to align their current frameworks and governance to European Supervisory Authorities’ (ESAs) expectations to make the overarching risk management practice embed the current and upcoming Regulatory Technological Standards (RTSs) imposed by DORA. 

Closer collaboration with ESAs and stronger controls

If one thing becomes clear when reading through the 64 articles of DORA, it is the fact that ESAs will play a key role in the overall market digital resilience. Companies can expect a higher supervision from ESAs and stronger controls, with obligations such as

  • defining specific policies,
  • implementing a mature IT Risk Management Framework,
  • sharing mandatory reporting for major ICT-related incidents,
  • designing robust Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs),
  • performing mandatory annual resilience testing approved by the Executive Committee.

ESAs are expecting a whole new range of reporting and communication from financial institutions, a source of information that will aim to deepen the knowledge of the EU cyber intelligentsia.

One of the major changes is the Digital Operational Resilience Testing, based on the Thread-Led Penetration Testing.  There are two categories in this area:

  • The first one is a mandatory annual internal testing with a report of the results to be provided to the ESAs (following a specific format provided by the regulator). It is applicable to all actors of the financial sector.
  • The second one is an advanced testing to perform once every three years. It isapplicable to companies answering to specific criteria that the regulator will define in the coming months. This advanced testing, done by an external entity, will allow ESAs to issue a certificate stating the company's compliance regarding penetration testing. Failing to obtain it could result in a potential halt of the company's activities. 

How to prepare for DORA compliance, within the tight deadlines?

The DORA implementation timeline is as follows:

DORA implementation

With the Act approved, the EC and ESAs have foreseen a period of two years (2023 & 2024) for companies to prepare for DORA and implement it. This period will see ESAs further defining the needed RTSs and making requirements more concrete. It will be a crucial time for companies to align their governance and practices to DORA's resilience pillars and to identify a roadmap with key deliverables to materialize their digital resilience strategy. They can do this through an initial gap assessment, starting with an analysis of the company profile. The gap assessment will also define the current level of maturity, including the compliance with existing guidelines (most common references include ESA Guidelines, NIS, CROE, etc.) and with existing IT Risk Management Strategy and standards (such as ITIL, COBIT, NIST CSF, ISO, etc.). This will help identify a delta in DORA requirements and  lay out a roadmap analyzing the priorities and efforts needed to constitute a sound Digital Resilience Strategy and framework. Note that, during this period, the Regulators will further define new Regulatory Technical Standards (RTSs) and Implementation Technical Standards (ITSs). It is crucial for the strategy and newly defined framework  to be sufficiently agile in order to welcome these new standards.

Beginning of 2025, the Act will come into force. This means that ESAs will expect the mandatory reports outlined by DORA to be available upon their request,  and will use them to assess any gaps in the market. During this timeframe, companies should focus on maturing the Digital Resilience Framework. They should also, by then, be prepared to perform the mentioned annual evaluations, testing and reports. By the end of 2025, mandatory penetration testing will come into force, and certification by ESAs will have to be obtained.

Regulators confirmed that DORA will by default become the “lex specialis”, preceding any overlapping regulatory texts such as NIS or ESA guidelines. Companies should keep this in mind when performing an internal check of their regulatory compliance and use DORA as the main reference to avoid further unforeseen gaps when DORA comes into force in 2025.
 

More resilient companies, but at what cost?

The requirements and expectations laid out by DORA will impact the market as a whole. Becoming digitally resilient may represent a costly endeavor for certain actors and, while DORA will translate into a more robust market, companies are rightfully concerned about the financial implications of such a regulation, particularly on SMEs.

Regulators have foreseen the concept of proportionality in the application of such texts to tackle these concerns. To establish a safer and more competitive market, ESAs, when regulating financial entities, will consider aspects such as the company size, its complexity and the services provided . Besides size and complexity, there is another determining factor that provides some insight into the financial implications of DORA,  which is the maturity profile and level. Companies with lower maturity in their governance and internal practices will have to further invest resources and money to acquire the capability and capacity to answer to the challenge DORA represents. Tackling this at an early stage is key in succeeding, as a reactive approach will always be more costly than a preventive attitude.

Show resources

  • Download the document European digital operational resilience

Summary

On November 10th, 2022, the European Parliament approved the Digital Operational Resilience Act (DORA), which will enter into force in 2025. It includes six pillars for financial services to focus on in order to maximize their digital resilience. ESAs will increase their supervision on financial institutions and will implement stronger controls. The sector needs to start preparing now by performing a gap assessment and defining a roadmap to compliance.

About this article

Authors
Sylvie Goethals

EY Belgium Financial Services Risk Partner

Dedicated to Financial Services. Focused on quality in delivery and client satisfaction.

Borja Bosch

EY Belgium Technology Risk Advisory Senior Manager, Financial Services

Experienced in technology governance and digital transformation. Dedicated to innovation and sustainability. Passionate about History.