Understanding the Digital Operational Resilience Act and Its Pillars

Beyond the clouds, the sky appears vast and unrestricted, seemingly without any constraints. However, the truth is quite different. International rules govern the airspace, ensuring safety and order for air traffic. Air traffic controllers rely on these rules to maintain an organized and secure airspace. These regulations are crucial in guaranteeing the safety and reliability of air travel, granting us the freedom of movement we cherish.

Similarly, the digital realm offers immense possibilities, particularly the cloud, where data is accessible anytime, anywhere. But akin to air traffic, the cloud requires rules and oversight to ensure stability and benefits. Cloud providers and online services must abide by regulations to function optimally.

Understanding the Digital Operational Resilience Act and Its Pillars

The cloud exemplifies the potential and risks digitalization introduces to the financial sector. Enter The Digital Operational Resilience Act (DORA), the EU’s first legislative initiative focusing on financial services’ digital operational resilience. Designed to be a game-changer in risk management, DORA consolidates and elevates the requirements faced by firms, ushering in a new era of accountability and preparedness at the senior management level.  DORA enforces stricter regulations on ICT service providers and brings uniformity and supervision to the seemingly boundless sky beyond the clouds.

The Digital Operational Resilience Act proposed by the European Commission in 2020 represents a groundbreaking regulatory initiative that takes on the most pressing challenges of managing ICT risks at financial institutions and critical ICT third-party service providers. 

Financial organizations increasingly rely on Information and Communication Technologies (ICT) and cloud service providers for their core functions, so a comprehensive framework to manage digital risks has become necessary. Effective management of these risks is crucial for digitalization to fully capitalize on the numerous opportunities it offers to the banking and financial industry. To this end, DORA sets the stage for a transformative approach to resilience, where financial entities must be prepared to withstand, respond to, and recover from a wide range of ICT-related disruptions and threats.

The regulation spans most financial services firms operating within the EU, establishing binding rules for ICT risk management, incident reporting, resilience testing, and third-party risk management (TPRM). Beyond its sweeping impact on financial entities, DORA creates an unprecedented framework that enables supervisory authorities to oversee Critical ICT Third-Party Providers (CTPPs), including Cloud Service Providers (CSPs), crucial contributors to the industry’s digital ecosystem.

Extending Resilience to ICT Service Providers:

Unlike previous regulations primarily focused on financial services firms, DORA broadens its scope to include ICT  (Information and Communication Technologies) service providers crucial for supporting core financial business services. Banks, insurance providers, credit institutions, investment firms, and crypto-asset service providers are responsible for ensuring that their numerous ICT providers adhere to the new requirements. This alignment ensures that the same resilience rules bind financial entities and their supporting third-party ICT partners.

Read on as we delve into the five pillars that form the foundation of the Digital Operational Resilience Act implementation. Each pillar holds significant implications for financial services firms operating within the EU.

1. ICT Risk Management Requirements

At the heart of DORA’s framework lies ICT risk management, with the responsibility put on the firm’s management body to take “full and ultimate accountability” for managing ICT risks. Senior management will define the digital operational resilience strategy, set risk tolerances, and approve policies concerning ICT Third-Party Providers (TPPs). The regulation grants relevant authorities the power to impose administrative penalties and remedial measures for any regulatory breaches.

To comply with ICT risk management requirements, firms must set risk tolerances, identify Critical or Important Functions (CIFs), and map their assets and dependencies. It is important to note that including CIFs in DORA marks a significant evolution, leading to a sharper focus on the entity’s functions and activity. 

Also included in this pillar is the obligation for firms to conduct business impact analyses based on “severe business disruption” scenarios. These analyses aim to drive the development of more sophisticated testing methods.

2. ICT Incident Classification and Reporting

DORA streamlines existing EU incident reporting obligations while introducing significant enhancements. Financial entities must now possess increased capabilities to collect, analyze, and report information on ICT incidents and threats. 

If a client or counterparty is exposed to a “significant cyber threat,” DORA mandates that financial services firms promptly inform relevant parties and furnish details about suitable protective measures to counter the threat. Additionally, these entities must document all significant cyber threats, requiring a new level of incident management.

The requirements for financial entities under this pillar include the following:

  • The classification of ICT-related incidents
  • The classification approach and materiality thresholds for determining major ICT-related incidents to be reported from financial entities to competent authorities
  • The criteria and the thresholds to be applied when classifying significant cyber threats
  • The criteria to be applied by competent authorities to assess the relevance of major ICT-related incidents to relevant competent authorities in host member states and the details of the information to be shared with them

3. Digital Operational Resilience Testing

DORA introduces comprehensive digital operational resilience testing requirements for financial firms. Firms must conduct security and resilience tests on their “critical ICT systems and applications” at least annually, addressing identified vulnerabilities. Some firms must undergo “advanced” Threat-Led Penetration Testing (TLPT) every three years, aligned with the ECB’s TIBER-EU framework.

Testing exercises must include all TPPs supporting CIFs, requiring collaborative mapping of TPPs to CIFs. “Pooled testing” arrangements for TPPs unable to participate due to security reasons will necessitate collective industry action to operationalize.

4. Third-Party Risk Management (TPRM)

The DORA TPRM requirements expand on existing ESA Guidelines, broadening coverage to non-cloud Service Provider (CSP) ICT outsourcing. Binding these terms in law intensifies pressure on financial entities to negotiate with providers. Conducting concentration risk assessments for outsourcing contracts supporting CIFs will challenge firms to justify operating model decisions and adopt a multi-vendor approach where necessary.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about how to be compliant with Digital Operational Resilience Act

5. ICT Third Party Providers Oversight Framework

DORA grants extensive supervisory powers to ESAs over designated Critical ICT Third-Party Providers (CTPPs). This empowers the ESAs to assess, request security practice changes, and sanction CTPPs. New safeguards ensure that FS firms will only be ordered to suspend or terminate contracts with CTPPs in exceptional circumstances, with due regard to sector-wide implications.\

The Joint Oversight Forum (JOF) is more prominent in developing consistent best practices and setting more precise standards for CTPPs’ expected resilience.

DORA: A Response to the Evolving Financial Landscape

With the rising adoption of cloud services, financial entities have become increasingly interconnected and interdependent. The COVID-19 pandemic further accelerated the shift to remote operations, making digital infrastructure a critical aspect of financial services.

Recognizing the need for a holistic approach to risk management, EU regulators introduced DORA to expand oversight to the digital infrastructure ecosystem. The regulation addresses the distributed digital infrastructure and aims to enhance the financial industry’s overall resilience through comprehensive operational risk oversight.

Scope of DORA and Its Pillars

DORA applies to all financial entities within the EU, including banks, payment institutions, insurance companies, and investment firms. Moreover, it encompasses critical ICT third-party providers that 

Preparing for DORA

As the final version of DORA is anticipated within the next year, financial entities and ICT service providers can take proactive steps to prepare:

  • Raise Awareness: Understand DORA’s regulatory requirements and involve the management board in preparing the groundwork for a successful program.
  • Define Roles and Responsibilities: To establish a DORA program, designate roles, and assign responsibilities to all relevant internal stakeholders.
  • Conduct a Gap Analysis: Undertake a self-assessment to evaluate compliance with DORA’s proposed ICT risk management requirements. 
  • Create a Risk-Based Roadmap: Once gaps in your system have been identified, develop a plan to bridge compliance gaps and enhance digital resilience in alignment with DORA’s pillars.
  • Foster Collaboration: Outside professional assistance may be required to achieve compliance with DORA. Identify and prioritize partners for collaborative efforts to meet DORA’s regulations.

The Digital Operational Resilience Act (DORA) represents a significant milestone in the ongoing efforts to bolster operational resilience within the financial sector. Officially launched in January 2023, this regulation is set to revolutionize risk management for financial entities operating within the European Union (EU). The Digital Operations Resiience Act timeline began just after its publication. By Q4 2024, the Digital Operations Resilience Act status will progress to relevant financial services supervisors, expecting covered ICT firms to comply with Dora’s new directives.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Does your company need to be compliant with Digital Operational Resilience Act?
Skip to content