Less than six months to go from its implementation date, the Digital Operational Resilience Act (DORA) is a game changer in the regulatory landscape due to:
- The broader spectrum of financial entities in scope which includes credit institutions, insurance, investment firms, alternative investment fund managers and many more.
- The uniformity in expectations set across multiple industries.
- Its extension to include ICT third party providers utilised by the in scope financial entities.
DORA came in force in January 2023 with a two-year transition period during which the European Supervisory Authorities (ESA) have hosted a number of events to engage with relevant entities as well as publish a number of supplementary expectations through regulatory technical standards, with the latest batch due in July 2024.
Digital advancements or technology transformation has been more increasingly identified in strategic initiatives. Common objectives identified are enhancing the customer experience offering digital channels to enjoy services offered, as well as to optimise internal method of operations. Such transformation causes new or additional risks to emerge, many of which are intended to be mitigated by the requirements outlined in DORA.
The effort for regulated entities to become DORA compliant varies and depends on the individual entity's (or group) operating model, exposure and appetite towards Information, Communication and Technology (ICT), as well as the pre-existing supervisory requirements applicable in each industry. It is therefore vital that Boards and Senior Management are informed of DORA's expectations, its importance, and the need to set the tone from the top.
In a nutshell, DORA can be broken down in the following themes:
- ICT risk management, including business continuity, response and recovery
- ICT related incident management
- Digital operational resilience testing
- Managing of ICT third-party risk
- Information sharing
Clear roles and responsibilities as well as embracing the principle of accountability is necessary at different levels, from the Board of Directors/Management Body, Senior Management, as well as to a dedicated Risk Function. The general principles of risk management may be the theme that has been operational in most, if not all, of the financial entities in scope – nonetheless, explicitly embedding ICT risks as well as identifying ownership to manage and oversee such risks may require further analysis depending on existing organisational risk culture and risk maturity levels.
DORA defines ICT services as
"digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services"
Depending on a regulated entity's operating model, it is common to place reliance on ICT service providers. Contractual arrangements are key, and the internal processes and legal documents used by regulated entities ought to be reviewed and aligned against specific requirements that stem from DORA. Nevertheless, the ultimate responsibility to adhere to DORA, together with the relevant risks of such operations, remain with the financial entity that is directly supervised by the respective ESA. This is not limited to the managing ICT third-party risk but also to its complementary requirements for ICT risk management, business continuity, and incident management.
Key success factors to align and embed DORA in daily operations include:
- Establish robust governance arrangements
- Defined policy requirements, processes, and templates
- Clear definitions and scope of DORA to individual or group entity operations
- Registers with adequate and sufficient information
- Available tools and means to timely identify, assess, escalate, mitigate, report and monitor relevant incidents and third-party arrangements.
Ahead of the upcoming due date in January 2025, our local team of advisory experts has been working with financial entities to assist in achieving DORA compliance. You are one step away from a private conversation on how we can help you achieve readiness and establish a robust risk and control framework to manage ICT related risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.