The Digital Operational Resilience Act came into effect in January 2023, applying to all EU member states with more than 22,000 financial entities and ICT service providers impacted. It also has implications for organisations based in other regions that have relevant operations in the EU.
Although it introduces some specific requirements for frameworks, policies and processes, we recommend integrating with existing capabilities rather than bolting on as a separate compliance requirement.
Let’s take a look at:
- Who is affected, both directly and indirectly?
- What are the requirements?
- How can DORA be integrated into other frameworks?
Who is affected?
The regulation applies broadly to financial entities in the EU. In total there are 20 types defined as financial entities, including credit institutions, account information service providers, insurance intermediaries, and crowdfunding service providers. If you are even tangentially operating in financial services, check the complete definitions to see if you are covered.
In addition, the list of entities covered includes ICT-third party providers. This is a shifting of boundaries. Rather than the financial entities being bound and (usually) passing on requirements or minimum standards through contracts and service agreements, some sections of the regulation apply directly to the third parties themselves.
What are the requirements?
A high-level summary of the requirements include:
- Having an internal governance and control framework to manage ICT related risk, which must be approved by the management body
- Having a comprehensive ICT risk management framework, which must include how the framework supports business objectives
- Identify and document ICT-supported business functions, the IT assets supporting those functions, and their interdependencies
- Identifying interconnections and dependencies with ICT third party providers
- To protect ICT systems from disruption and ensure resilience, continuity and availability, and have policies, procedures and measures in place to ensure the resilience and availability of ICT systems and data
- Having comprehensive incident response, including detection, response and recovery, crisis management, appropriate classification of incidents, and demonstrating lessons learned
- Reporting major incidents to the relevant authority
- Testing of digital operational resilience, with specific requirements on the types of testing, who can complete the testing, and testing frequency
- Having a strategy to manage risks related to ICT third party service providers
- Specific contractual requirements that must be included in ICT third party contracts
- Managing a register of all contractual arrangements with ICT third parties
One of the outcomes for regulators is to gain insight into concentration risk of critical ICT-third party service providers, while also enabling effective enforcement. Of note is that if those third parties deemed critical are currently not located in the EU, they must establish a subsidiary in one of the Member states. The regulation prohibits financial entities from engaging with those third parties if the third party doesn’t create such a subsidiary within the required timeframe.
These requirements come into effect from 17 January 2025.
Integrating DORA requirements into other frameworks
While DORA is focused on ICT, many elements can be incorporated into broader frameworks. You may already have these frameworks in place that capture the ICT elements, or might only require minor change. Let’s take a brief look at each, some actions you might take to incorporate them, reduce compliance burden, and improve organizational insights.
Enterprise Risk Management frameworks
If you have an Enterprise Risk Management framework in place, ICT related risks should already be captured as just one subset of your overall risk profile, and how they link to the objectives of the organisation. Risk assessments at the organisation or department level should already consider ICT related risks or causes. A strong risk taxonomy and reporting capability can highlight which risks relate to ICT without the need for a separate risk assessment process.
You may already have strong ICT-related controls libraries, registers, and assurance programs in place, perhaps aligned with NIST, ISO 27001 or other well-known frameworks. If you do, compare your existing controls and testing regime to the DORA requirements, and update the controls or add more documentation where required.
DORA also requires effective incident management and defining and monitoring risk tolerances. These are integrated and linked in an effective ERM framework, enabling you to meet these requirements while providing broader insights, and adding efficiency to lessons learned and improvement.
Operational Resilience and Business Continuity
DORA is closely aligned with the Operational Resilience requirements that came into effect in the UK in 2022. You could just document ‘ICT supported business functions’ to meet DORA requirements, but if you’re doing this, you’re leaving something on the table. While DORA focuses on ICT specifically, taking a broader approach can enable resilience to your critical functions – whether they are supported by ICT or not.
One of the pillars of operational resilience is understanding the many-to-many relationships between critical functions, the processes and resources required to support them (ICT or otherwise), and the vendors who support them. Effectively mapping these dependencies, supported by technology, helps highlight potential weaknesses or single points of failure. It also enables linking potential risks and scenarios to specific resources, allowing you to see the ultimate effect on business functions.
Similarly, DORA lays out that you must have an ‘ICT business continuity plan’. While the intent is understood, the real outcome is continuity of services that impact external stakeholder, not the IT assets themselves. While there might be IT specific elements (perhaps disaster recovery plans for particular IT assets), ensure they are integrated as part of your overall business continuity plan.
Vendor risk management
DORA requires that sufficient due diligence is conducted, the inclusion of specific contract clauses, and that risks are assessed before engaging with an ICT vendor. While the specified contractual provisions can hold the vendor to account if they were breached, a strong vendor risk management process will monitor and document the ongoing ability of the vendor to meet those contractual obligations. Our recent blog about TSB Bank highlights the dangers of inadequate assurance over your vendors.
A strong vendor risk management process will capture the information that can easily be referenced to demonstrate compliance with DORA, including an assessment of where risks may be concentrated. Beyond compliance, it also provides an overall assessment of how vendors are performing against their service level agreements, and who might be dragging their feet. Understanding the relative importance of each vendor enables optimization of resources to monitor ongoing due diligence.
DORA is understandably focused on ICT. While ICT risks need to be effectively managed, so do other risks to your organisation. At Protecht we recommend integrating the requirements into other frameworks you have, and leveraging the relationships between the data you hold – ensuring you have an integrated solution for risk management, compliance, resilience and vendor management.
Next steps for your organisation
Protecht recently launched the Protecht ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.
Find out more about operational resilience and how Protecht ERM can help:
- Watch our operational resilience webinar
- Download our operational resilience eBook
- Find out more about our Operational Resilience module
 PwC, 2021: DORA and its impact on UK financial entities and ICT service providers