How DORA is Transforming the Management’s Role in Financial Services
EU’s Digital Operational Resilience Act (DORA) ushers in a new era for financial services firms, placing extensive operational resilience requirements and heightened board oversight mandates on various entities within the EU’s financial sector. From traditional banking and insurance institutions to emerging players like payment service providers, crypto asset custodians, and fund managers, the scope of DORA covers an impressively diverse range. Moreover, it even extends its purview to encompass critical service providers, marking a significant shift by directly regulating entities that are pivotal to the functioning of the financial services sector.
DORA regulations have not only brought about a transformation in the governance landscape but have also raised the accountability of boards to a level that was previously unseen. This transformative act has shifted the balance of responsibility between financial entities and their boards, compelling the latter to take a much more active role in operational resilience and ICT (Information and Communication Technology) risk management.
However, the implications of DORA go beyond mere rhetoric and oblige boards to take concrete steps to meet their obligations. Among the most significant requirements is establishing individual civil liability for board members, with the potential for criminal liability remaining an option. As a result, the enactment of DORA is not just a regulatory change; it’s a game-changer set to redefine the roles, responsibilities, and potential liabilities of board members in financial institutions.
DORA Implementation Date:
Financial entities operating in the EU and their critical Information and Communication Technology (ICT) providers must be prepared to meet DORA’s mandates by January 17, 2025.
The Evolving Role of Management Boards
Under DORA, boards are now entrusted with overseeing the implementation and continual evaluation of policies, plans, and arrangements. These obligations are diverse and encompass critical elements such as defining roles and responsibilities for ICT-related functions, establishing governance arrangements, defining reporting channels for third-party service providers, developing data security policies, ensuring ICT business continuity, and crafting internal audit plans. However, having these policies and procedures in place is insufficient; boards are expected to adopt a proactive and informed approach to their roles.
This involves maintaining the knowledge and skills required to comprehend and assess ICT risks and their potential consequences. Board members must bridge any knowledge gaps and equip themselves with a foundational understanding of the technical and organizational dimensions of ICT security and resilience.
Additionally, DORA stipulates that boards must receive regular reports from senior ICT personnel. These reports should encompass insights gleaned from testing, audits, and incidents. Furthermore, boards should establish robust reporting channels that facilitate the timely receipt of information regarding significant ICT-related incidents.
The Stakes Are High
Beyond the organizational consequences of non-compliance with DORA, this regulation significantly heightens the personal responsibility and accountability of board members. Member States are directed to establish individual civil liability for board members, and the option for criminal liability is retained. Consequently, DORA raises the stakes for board members, making it crucial for them to ensure they are well-prepared to navigate the DORA regulatory landscape.
The landscape where personal liability for board members and rigorous penalties for non-compliance make DORA a game-changing entity in the financial industry,
DORA: A Harmonization of Regulations
Interestingly, DORA is not an entirely new regulation; rather, it harmonizes different regulations and introduces new areas not previously covered in financial service regulation. It places a heightened focus on testing and incident management, creating new obligations and risks for boards and internal auditors. This could lead to resource challenges, prompting some tasks to be outsourced due to the demand for new security laws and limited supply.
The CISO’s Role under DORA
DORA significantly elevates the role of Chief Information Security Officers (CISOs) and their interaction with the Board of Directors. CISOs find themselves in a pivotal position as DORA places a strong emphasis on Information Technology and Communication Technology (ICT) and the management of information security risks. DORA requires active participation from the Board in overseeing ICT risk management, making it logical for CISOs to report directly to the Board.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
DORA’s Influence on Management Responsibilities
As the Digital Operational Resilience Act (DORA) approaches implementation, the dynamics of management responsibilities are set to undergo significant transformations. DORA bestows explicit duties on Boards and C-suite executives (CxOs), emphasizing their instrumental role in adhering to the stringent regulatory standards.
1. Strengthened Oversight and Active Decision-Making
DORA reinforces the commitment of Boards and senior management to operational resilience. In a practical sense, they must endorse critical initiatives, including the corporate digital operational resilience strategy. This strategy encompasses the ICT third-party management policy (TPPs), demanding focused enhancements to existing safeguards. Additionally, senior management must make operational model decisions to integrate DORA requirements into daily operations. This entails defining risk tolerance levels and prioritizing remedial actions to address identified operational vulnerabilities.
While full supervisory expectations are yet to crystallize, the components of DORA necessitating proactive direction, endorsement, and oversight will place additional demands on Boards. DORA compliance standards will require Boards and CxOs to demonstrate their commitment to corporate resilience against specific and broader sector-specific threats. This entails strengthening their understanding and awareness of the company’s ability to navigate potential ICT disruptions while maintaining uninterrupted services. Boards and CxOs must demonstrate sound management decisions, engage in a rigorous review and challenge of resilience plans, and consequently fortify the overall resilience of their organizations. Management must continually assess threats and vulnerabilities from the external environment to dynamically integrate them into the company’s operational resilience framework.
2. The Long-Term Ramifications of Continuous Compliance
DORA introduces a continuous approach to resilience management, transcending the 24-month implementation period. Even the largest and most structured financial institutions will confront formidable challenges, spanning operational resilience testing, incident reporting, and business impact analysis. This enduring approach emphasizes constant evaluation and evolution, with businesses required to conduct resilience tests, assess risks, and scrutinize the efficacy of their resilience plans. Furthermore, they must continuously collect data on threats and incidents to meet new reporting requirements and craft risk scenarios. Notably, DORA mandates the identification of critical or essential functions (CIFs) to fortify resilience, particularly concerning threat identification and scenario testing.
DORA’s underlying philosophy is that operational resilience is not a one-off endeavor but a dynamic obligation that adapts to the evolving threat landscape. To achieve a robust operational resilience level, Boards and CxOs must invest in strategic capabilities such as threat intelligence and resilience testing. These strategic assets provide insights into the impact of risk scenarios on vital functions, facilitating informed investment decisions and enhancing response capabilities to unexpected disruptions.
3. Challenges in Business Outsourcing Strategies
Mitigating vulnerabilities stemming from third-party relationships is a core challenge in bolstering operational resilience. DORA introduces the first global framework for supervising critical third-party service providers (CTPs). European Supervisory Authorities (ESAs) receive new powers to oversee third-party providers and manage the associated risks to the financial services industry.
Moreover, DORA introduces several new third-party risk management requirements for financial sector companies. The severity of these requirements escalates when third-party providers support the critical or essential functions (CIFs) of businesses. This aspect particularly affects FinTech and digital-native companies, where reliance on specific digital platforms may heighten exposure to ICT risk, necessitating increased supervisory oversight.
Businesses must also evaluate the risk of third-party concentration, which could expose financial operators to heightened supervisory scrutiny. This could prompt Boards to revisit their sourcing strategies, consider multi-vendor approaches, assess their risk appetite for third-party relationships, and reevaluate the roles of risk management and procurement functions.
4. Investment Decisions and Resilience by Design
Building operational resilience requires companies to become pivotal players in business decisions and operating model design, advocating a concept of “resilience by design.” Specifically, companies in the financial sector must identify the expected level of resilience as part of the digital operational resilience strategy mandated by DORA.
Boards and CxOs must assess the overall business case for investing in resilience capabilities, demonstrating how upfront costs align with a more resilient and sustainable operational model. Prioritizing areas that align with supervisory agendas, such as identifying CIFs, conducting business impact analyses, implementing operational resilience testing, and refining incident reporting processes, becomes paramount.
Management must also consider how supervisors will apply DORA’s principles effectively. Larger and more complex operators may possess advanced capabilities in specific areas but face heightened scrutiny due to the systemic importance of their critical services. Smaller operators, on the other hand, will benefit from less stringent requirements but will still need substantial investments to align with the regulation’s broader requirements, such as ICT incident reporting and third-party risk management provisions.
DORA: A Continuous Journey for Operational Resilience
DORA Europe is not a one-time compliance exercise but a continuous journey to maintain operational resilience in a constantly evolving threat landscape and increasingly complex technology environment. Over the next 24 months, European supervisory authorities will focus on translating the secondary regulatory aspects of DORA and refining their expectations regarding operational resilience.
As a result, Boards and CxOs will play a pivotal role in shaping the path to operational resilience throughout DORA’s implementation period. Establishing a resounding “tone from the top” regarding the commitment to creating operational resilience will be crucial. Regulatory and supervisory authorities, investors, and stakeholders will increasingly consider this commitment, given the rising prevalence of operational threats in the financial sector.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
