The word “DORA,” also known as the European Commission’s (EC) Digital Operational Resilience Act, will not sound new to most regulatory experts. A draft version of this regulation has been under negotiations since it was first published in 2020.
DORA aims to address fragmentation in the Information and Communications Technology (ICT) risk management frameworks in the financial sector, by creating a harmonized regulatory framework on digital operational resilience. All firms that are subject to this regulation must ensure they can cope with all types of ICT-related disruptions and mitigate cyber threats through each stage of their lifecycle.
DORA also has a brother: the Network and Information Security (NIS2) Directive. The NIS2 Directive is the evolution of the original NIS Directive on the security of networks and information systems that provides legal measures to boost the overall level of cybersecurity in the European Union (EU). The NIS2 Directive and DORA will be aligned in overlapping areas, and their estimated timelines for publication are more or less the same.
Even though the publication timeline has not yet been explicitly confirmed, developments indicate that we may expect a final publication in late 2022, or early 2023. Once published, there will be a 24-month grace period for implementation. But our experience with the General Data Protection Regulation (GDPR) has taught us that anticipation is a better strategy than remediation.
The perceived impact and suggested approach to implementation
The content of DORA is, for a large part, a reflection of the organic growth in importance that operational resilience has seen in the last few years. It will not surprise the reader that having a digital resilience strategy is now mandatory, that ICT risk tolerance must be documented or that one must be able to identify all sources of ICT risk — including that of third parties. Significant areas of impact include everything surrounding third-party security management and supply chain risk, the implementation of vulnerability disclosure practices, vulnerability assessment and many more.
DORA also brings forward some substantial new requirements that may require investment and a significant implementation period to comply. In the context of these requirements, you may want to consider if you can answer the following questions: “How will you implement the requirement that any operational resilience incident must be notified to the authorities within hours of detection, or that incident reports must contain a view of actual costs and losses due to the incident?” or “How will you implement the requirement that your third-party registry must now contain a lot more detail on performance targets, security provisions and outsourcing risks?”
Only a pragmatic approach that addresses digital risks and gaps can help organizations keep on top of the new regulations and the likely impact. We’ve summarized a few key actions organizations must take to prepare for NIS2 and DORA:
- Know your organization: organizations should understand and identify all their critical processes, services and assets.
- Know your gaps: organizations should perform a gap assessment on DORA and NIS2 well in advance to know where they stand.
- Map your gaps against your risk landscape: identify the gaps that come up within the risks that have already been identified. Check for areas within the control framework that could grow more problematic.
- Only invest in areas where you can see real value: supply chain risk, for example, is an area that many organizations have significantly underinvested in — that may need to change.
- When you make investments, consider NIS2 and DORA together: take up actions that address changes from the act and the directive, achieving seamless compliance.
- Once DORA and NIS2 are finalized, perform another gap assessment: the assessment document can be shared with the regulator (if they ask), or with the company board (if questions arise).
How EY teams can help
EY teams regularly monitor developments in regulatory frameworks and publications such as the NIS2 Directive and DORA. While DORA and NIS2 may not introduce highly disruptive changes, their introduction affirms some of the already existing industry best practices in the form of an act and a directive.
These developments were already on the radar in 2019–2020, and some proactive clients had already requested EY teams’ support with gap assessments and implementation plans back then. EY teams have performed plenty of projects in the domain of supply chain security well before the inception of DORA or NIS2, thanks to which they can help organizations with pragmatic and cost-effective options — built on experience and not just targeting compliance — in this space.