Get to Know the Digital Operational Resilience Act (Part 2)

As you may remember from our first blog post on strengthening financial IT resilience, the Digital Operational Resilience Act (DORA) was enacted on January 16, 2023, and will be enforced soon, with supervision starting January 17, 2025.

“That’s a big step towards ensuring that there is resilience in the system. It’s not about crimes, it’s about resilience,”said José Manuel Campa, Chairperson of the European Banking Authority, one of three EU institutions behind DORA. The DORA regulation’s goal is to ensure the IT resilience and security of any financial entity (FE) in Europe and their Information Communications and Technology (ICT) providers, such as banks, crypto, insurance, and financial firms, even during severe operational impacts like denial of service (DDoS) cyber attacks and ransomware.

Today, a big challenge for the European Supervisory Authorities (ESAs) in the EU is to put together their own team for overseeing DORA.

On April 10, 2024, the ESAs launched their first recruitments to set up a DORA joint oversight team. This announcement came as part of the establishment of a fully integrated team within the 3 ESAs to carry out the oversight of critical third-party providers (CTPPs) required by DORA.

The joint oversight team includes a Director, Legal Experts and ICT Risk Experts. The EU has set up numerous consultations with FEs in Europe and conducted dry runs with a list of financial markets participants, such as very well-known banks in each EU member state and outside entities that do business in the EU. Much like GDPR’s scope, DORA is not limited to those based in the EU but applies to any companies working with EU FEs.

As DORA nears its enforcement date, the focus has been on the third-party risk management process and expectations. The feedback is contained in very detailed spreadsheet entries:

• Responses to public consultations on DORA.xlsx
• Responses to public consultations on DORA 1st batch.xlsx 
• ESAs published second batch of policy products under DORA | European Banking Authority

It is worth noting that the FCA (Financial Conduct Authority) in the UK also has operational resilience regulations coming into force in March 2025, and NIS2 requirements come into effect for all businesses in October 2024. In the US, the SEC is also mandating rules that focus on technology management and compliance expectations, especially around incident management and the definitions of severity, response and more. DORA also focuses on these points – for example, DORA introduces consistent requirements for FEs on management, classification, and reporting of ICT-related incidents.

DORA also details primary and secondary criteria for these incidents, and when they should be considered major incidents, with suitable thresholds. These include the percentage of FE clients impacted and the associated financial value of the impact. If they cannot be easily determined, estimates based on available data are acceptable.

Duration of the event (longer than 24 hours) and ICT service downtime (more than 2 hours) is another factor in classifying an incident as a major event.

One of the more challenging requirements, is that DORA states that all FEs are required to maintain and update a Register of Information (ROI) in relation to all contractual arrangements on the use of ICT services provided by ICT Third-Party Service Providers (ICT TPPs).

This is a complex document as shown from EU documentation below. Not least because most contracts may need to be re-written to accommodate DORA requirements, not least numbering each service for identification purposes, and highlight any critical service therein.

In May 2024, the EU organised a voluntary exercise for the collection of the registers of information (see above) of contractual arrangements on the use of ICT third-party service providers by the financial entities. Under DORA and starting from 2025, financial entities will have to maintain registers of information regarding their use of ICT third-party providers. In this dry run exercise, this information was collected from financial entities through their competent authorities, as preparation for the implementation and reporting of registers of information under DORA.

DORA Title II provides further harmonisation of ICT risk management tools, methods, processes and policies, as shown below. This categorization and harmonisation is aligned with ISO 27001 as we shall examine in part 3, when we look at various ways to achieve DORA compliance.

DORA Title II: Further harmonisation of ICT risk management tools, methods, processes and policies (Article 15)

The most recent big date in the DORA calendar was July 17, 2024. It is when the EU released its latest analysis of expectations and obligations for DORA, in terms of the EU systemic cyber incident coordination framework (EU-SCICF), kickstarting the process of how cyber incidents should be mitigated, with relevant DORA requirements met and reasonably achieved.

The EU’s ESAs have also recently been processing the most recent public consultation, with a view to determining further Regulatory Technical Standards (RTS), not all of which are information technology related, but technical in a business sense. Many are extensions of existing regulatory technical details, and as such, have built on lessons learned from earlier legislation.

Looking to the Future

The guidelines have already been adopted by the Boards of Supervisors of the three ESAs. The final draft technical standards have been submitted to the European Commission, which will now start working on their review with the objective to adopt these policy products in the coming months.
Many lessons have been learnt and challenges raised, where the EU believes that requirements are reasonable, but the industry may have other views, based on the cost of doing business to meet such requirements, and other considerations. It is not inconceivable that some FEs or ICT third parties will look to reduce or cease business in the EU, if the DORA requirements are overly onerous, as happened for previous regulatory legislation, for example, following the 2008 banking crisis.

In simpler terms, DORA ensures that financial institutions and technology partners are well-prepared to effectively handle disruptions and cyber risks.

It’s all about making sure our FEs stay strong and resilient!

Thrive has a crucial role in bolstering our client’s operational resilience through our own operationally resilient platform and business, reducing dependency on single systems, teams, or procedures, and enhancing risk management in the financial sector in alignment with DORA’s objectives. Contact Thrive today to learn more about how we can further support your organisation’s DORA compliance requirements.