How to prepare for the Digital Operational Resilience Act?

The European Parliament has approved the Digital Operational Resilience Act (DORA), which will enter into force in 2025.

In brief:

• DORA will require financial services to embed digital resilience on all levels of their operations, based on six pillars
• It is urgent to perform a gap assessment and to prepare a roadmap to get into compliance.

On November 10th, 2022, the Digital Operational Resilience Act (DORA) was approved at the European Parliament’s plenary session. Once implemented, it will make the compliance and regulatory landscape of the financial services (FS) sector more homogenous with regards to digital resilience, the management of ICT-related risks and cyberthreats.

DORA will require companies to focus on a Digital Resilience Strategy accompanied by a Digital Resilience Framework. This englobes all the transversal activities of the business. Therefore, it requires an end-to-end view of the entire ICT landscape that supports critical business functions, as well as a mature approach to business continuity, incident management and third-party risk.

How exactly will this affect  FS and the professional services delivered to the industry? How will it shape the market and impact its actors? And more importantly, what can you do to prepare for such a demanding change?
 

A shift from compliance to a “risk-centric approach"

The main purpose of the text is to make sure digital resilience policies and frameworks, as well as their governance be integrated into an overarching Digital Resilience Strategy at an institution-wide level. This calls for a shift in responsibilities. CEOs and the Executive Committee are now the main people responsible and accountable to define this strategy. Therefore, they should prioritize Digital Resilience as a key element on their upcoming roadmaps and agendas as this requires major coordination between all departments within institutions and cannot be achieved overnight.

To ensure digital resilience, the regulatory text foresees six crucial pillars to cover:

• Governance & Organization
• ICT Risk Management Framework
• ICT Incident Management, Classification & Reporting
• Digital Operational Resilience Testing
• Third-Party Provider Risk Management
• Information Sharing

For each of these areas, DORA includes specific requirements that need to be embedded into the company’s three Ps (People, Processes & Products) on a transversal level. This will require institutions to align their current frameworks and governance to European Supervisory Authorities’ (ESAs) expectations to make the overarching risk management practice embed the current and upcoming Regulatory Technological Standards (RTSs) imposed by DORA.
 

With the Act approved, the EC and ESAs have foreseen a period of two years (2023 & 2024) for companies to prepare for DORA and implement it. This period will see ESAs further defining the needed RTSs and making requirements more concrete. It will be a crucial time for companies to align their governance and practices to DORA's resilience pillars and to identify a roadmap with key deliverables to materialize their digital resilience strategy. They can do this through an initial gap assessment, starting with an analysis of the company profile. The gap assessment will also define the current level of maturity, including the compliance with existing guidelines (most common references include ESA Guidelines, NIS, CROE, etc.) and with existing IT Risk Management Strategy and standards (such as ITIL, COBIT, NIST CSF, ISO, etc.). This will help identify a delta in DORA requirements and  lay out a roadmap analyzing the priorities and efforts needed to constitute a sound Digital Resilience Strategy and framework. Note that, during this period, the Regulators will further define new Regulatory Technical Standards (RTSs) and Implementation Technical Standards (ITSs). It is crucial for the strategy and newly defined framework  to be sufficiently agile in order to welcome these new standards.

Beginning of 2025, the Act will come into force. This means that ESAs will expect the mandatory reports outlined by DORA to be available upon their request,  and will use them to assess any gaps in the market. During this timeframe, companies should focus on maturing the Digital Resilience Framework. They should also, by then, be prepared to perform the mentioned annual evaluations, testing and reports. By the end of 2025, mandatory penetration testing will come into force, and certification by ESAs will have to be obtained.

Regulators confirmed that DORA will by default become the “lex specialis”, preceding any overlapping regulatory texts such as NIS or ESA guidelines. Companies should keep this in mind when performing an internal check of their regulatory compliance and use DORA as the main reference to avoid further unforeseen gaps when DORA comes into force in 2025.
 

More resilient companies, but at what cost?

The requirements and expectations laid out by DORA will impact the market as a whole. Becoming digitally resilient may represent a costly endeavor for certain actors and, while DORA will translate into a more robust market, companies are rightfully concerned about the financial implications of such a regulation, particularly on SMEs.

Regulators have foreseen the concept of proportionality in the application of such texts to tackle these concerns. To establish a safer and more competitive market, ESAs, when regulating financial entities, will consider aspects such as the company size, its complexity and the services provided . Besides size and complexity, there is another determining factor that provides some insight into the financial implications of DORA,  which is the maturity profile and level. Companies with lower maturity in their governance and internal practices will have to further invest resources and money to acquire the capability and capacity to answer to the challenge DORA represents. Tackling this at an early stage is key in succeeding, as a reactive approach will always be more costly than a preventive attitude.