2 minute read 13 Apr 2021

How will the Digital Operational Resilience Act impact your organization?

Authors
Robin Blondeel

EY Belgium Financial Services IT Risk Management Senior Manager

Dedicated to Financial Services. Focused on keeping our clients’ IT risks under control. Passionate about helping our clients. I enjoy running and soccer.

Sylvie Goethals

EY Belgium Financial Services Risk Partner, EY EMEIA Financial Services Consulting Service Quality Leader

Dedicated to Financial Services. Focused on quality in delivery and client satisfaction. Proud mother of 2 children. Loves walking and running with her dog in the countryside.

2 minute read 13 Apr 2021
Related topics Risk

The proposed Digital Operational Resilience Act (DORA) aims to harmonize ICT risk requirements across Europe. What does that mean for you?

The Digital Operational Resilience Act (DORA) Proposal was published in response to the European Commission’s Digital Finance Strategy (September 2020), which tackles digital transformation risk mitigation through prescriptive and consistent rules on digital operational resilience. It aims to create one unified approach across Europe, across regulators and across the financial services industry.

Whilst official regulation is still in draft form within Europe, regulators expect financial institutions to begin focussing on operational resilience. Moreover, we see an increased interest in the Belgian financial services sector. The December 2020 Statement issued by the European Central Bank (ECB) regarding supervisory cooperation on operational resilience focused on the following key points:

  • The importance of operational resilience and the ability of banks to recover from operational disruption,

  • The recognition of activities undertaken by the industry to date (while acknowledging that more work is to be done to ensure resilience against operational disruption),

  • The requirement to ensure that banks are resilient to potential operational disruptions from all hazards, including severe but plausible cybersecurity incidents,

  • The ECB’s commitment to working closely with the Fed and PRA to coordinate supervisory approaches.

Operational Resilience is an existing key strategic theme across the financial services industry as well as wider across Information Communications and Technology companies providing services to financial services firms. To date, we have seen a number of interest groups publish their approach to Operational Resilience and DORA specifically. We also see an increased focus on operational resilience in countries such as the UK and the US which further drive the need for alignment.

DORA will apply to the whole financial sector. It will also apply to firms captured within the expanded regulatory perimeter under the term ‘critical ICT third-party service providers’, which will include services such as cloud resources, data analytics and audit.

Although the Act is currently still in draft form and the final regulations are only expected to be published by 2022, it is imperative for firms to start thinking about, and working on, their operational resilience journey.

We have created a high-level paper to help you understand the regulations and identify where to focus. It outlines DORA’s specific objectives:

  1. Address ICT risks and strengthen digital resilience,

  2. Streamline ICT-incident reporting,

  3. Provide access for supervisors to ICT incident-related information,

  4. Ensure assessment of preventive and resilience measures,

  5. Facilitate cross-border acceptance of testing results,

  6. Govern the monitoring of ICT third-party providers,

  7. Oversee critical ICT third-party providers,

  8. Exchange threat intelligence.


Digital Operational Resilience Act (DORA) Proposal

Read the paper

Despite this regulation being brand new, EY can help you prepare. We have a track record of delivering operational resilience transformation projects through our multidisciplinary teams, and can help you evolve, grow and comply in this rapidly changing regulatory environment.

Newsletters EY Belgium

Subscribe to one of our newsletters and stay up to date of our latest news, insights, events or more. 

Subscribe

Summary

While DORA is not expected to enter into force before 2022, firms should start getting ready. Indeed, the regulation covers a wide range of aspects, with 8 specific objectives for which all financial services institutions need to be prepared.

About this article

Authors
Robin Blondeel

EY Belgium Financial Services IT Risk Management Senior Manager

Dedicated to Financial Services. Focused on keeping our clients’ IT risks under control. Passionate about helping our clients. I enjoy running and soccer.

Sylvie Goethals

EY Belgium Financial Services Risk Partner, EY EMEIA Financial Services Consulting Service Quality Leader

Dedicated to Financial Services. Focused on quality in delivery and client satisfaction. Proud mother of 2 children. Loves walking and running with her dog in the countryside.

Related topics Risk