GAP Compliance Analysis by DORA Regulation

What is DORA?

On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA).  The legal proposal is based on existing information and communication technology risk management (ICT) requirements already developed by other EU institutions and links several recent EU initiatives into a single decree.

The European Parliament ratified the EU’s Digital Operational Resilience Act (DORA) on November 10th 2022.

This effectively concluded the DORA’s legislative process and the DORA’s 24 month implementation begins.

This means all affected EU-based parties should expect to have to comply with the DORA’s requirements by the end-2024.

DORA aims to provide a comprehensive framework to harmonize processes and digital resilience standards across the financial sector. DORA also aims to strengthen supervisor powers and enable direct supervision.

The requirements will also apply to the subjects of the traditional financial sector and third-party service providers of financial entities.

DORA is a “game changer” that will push FSI firms to understand fully how their ICT, operational resilience, cyber and TPRM (Third Party Risk Management) practices affect the resilience of their most critical functions as well as develop entirely new operational resilience capabilities such as advanced scenario testing methods

1. ICT risk management requirements – a broader focus across critical business functions

The DORA’s ICT risk management framework puts the onus on the firm’s management body to take “full and ultimate accountability” for the management of ICT risks, for setting and approving its digital operational resilience strategy, and for reviewing and approving the firm’s policy on the use of ICT Third Party Providers (TPPs), among other responsibilities. The DORA gives competent authorities the power to apply administrative penalties and remedial measures on members of the management body for any breaches of the Regulation.

The ICT risk management framework requires firms to set risk tolerances for ICT disruptions supported by key performance indicators and risk metrics. Firms must also identify their “Critical or Important Functions” (CIFs) and map their assets and dependencies.

A new inclusion in the final DORA text is the requirement for firms to carry out business impact analyses based on “severe business disruption” scenarios.

2. ICT incident classification and reporting – consolidation of existing requirements but with significant enhancements

The DORA’s incident reporting framework is meant to streamline a number of existing EU incident reporting obligations that apply to FSI firms. It will nevertheless create a substantial new classification, notification and reporting framework that will challenge firms to improve their ability to collect, analyse, escalate, and disseminate information concerning ICT incidents and threats. In our view, most firms do not currently possess all the capabilities needed to assess the quantitative impact of incidents and analyse their root causes in the way they will need to under the DORA.

3. Digital operational resilience testing – introducing challenging new requirements

The DORA establishes a digital operational resilience testing requirement for all in-scope firms (except for microenterprises) where they will have to:

show that they conduct an appropriate set of security and resilience tests on their “critical ICT systems and applications” (a potentially more granular definition that CIFs) at least annually;

“fully address” any vulnerabilities identified by the testing. Together with the business impact analysis requirement, this could evolve into a significant area of supervisory scrutiny and push firms to develop broader and more accurate testing and scenario analysis capabilities; and,

firms above a certain threshold of systemic importance and maturity (to be specified by a Regulatory Technical Standard (RTS)), will need to conduct “advanced” Threat-Led Penetration Testing (TLPT) every three years (unless amended by national authorities on a firm-by-firm basis).

4. TPRM – strengthening the European FS framework

The DORA TPRM requirements, like the ESA Guidelines, contain a number of contractual terms that firms must include in ICT outsourcing contracts by the implementation deadline in Q4 2024. Placing these in binding law, as the DORA does, will increase the pressure on FS firms to negotiate these terms with their providers where they have been unsuccessful before. Certain terms, such as the TPP providing “unrestricted access to premises” in contracts supporting CIFs, may be more difficult to implement than others.

5. CTPP oversight framework – the world’s first FSI oversight regime for third parties

TPPs that are designated as “critical” will be subject to extensive supervisory powers that will allow the ESAs to assess them, ask them to change security practices, and sanction them if they do not. This will push CTPPs to demonstrate that they can improve the resilience of their own operations that support FS firms, and particularly where the CIFs of FS firms are implicated.

DORA defines the ability of authorities to order FSI firms to suspend or terminate their contracts with CTPPs. These powers will only be used in exceptional circumstances and with due regard to the impact they would have on the sector. DORA also significantly expands the role of the Joint Oversight Forum (JOF), a group of the ESAs, relevant authorities, supervisors, and independent experts. The JOF will now play a more important role in developing consistent best practices for the oversight of CTPPs, and could, over time, establish a clearer standard for their expected level of resilience.

Why is it crucial?

While the use of third parties is valuable for financial entities, increasing dependency results in a corresponding growth in operational risk and a potential for mismanagement. Strengthening the wider financial sector operational resilience is key and our common interest.

As a fine, 1% of the average daily worldwide turnover may be imposed. Although a 12-18 months grace period will be allowed for organizations, early preparation could be key.

Now that the technical agreement on the DORA has been inalized, FSI firms need to begin to plan seriously for the task of implementing the Regulation. As we have said earlier in this analysis, we believe the DORA to be a game changer for how every FSI firms approach operational resilience, as it will push them to take a broader view of resilience and develop sophisticated new capabilities in areas such as CIF identification, reporting, impact measurement and testing.

 

Early implementation actions

In our view, several actions that firms should be considering include:

• On ICT risk management: conducting a gap analysis of existing ICT risk management and governance practices. Additionally, increasing resources dedicated to threat and incident detection and improving firm-wide ICT security awareness training programmes with a special focus on awareness of management bodies such as the board is crucial. We believe that special attention must be focused on clarifying what exactly are your critical assets, where they are hosted, what they host and what processes they support. This will be input for resilience testing later on.
• On incident reporting: running an incident management and reporting maturity evaluation to understand the firm’s current-state capabilities and evaluate the firm’s awareness of the multiple ICT incident reporting requirements that apply in the FSI sector. Also, see if you have the capabilities to detect near-miss incidents. Questions to ask yourself here is if you are capable of always reporting significant incidents within 48 hours and if you are able to provide information such as determining geographical spread and the number of users affected.
• On resilience testing: understanding the skills and capabilities required to shape and run resilience testing, including training sessions for board members on resilience testing methods (including TLPTs if likely to be in scope of advanced testing requirements), and the implications for remediation. If familiar with the TIBER framework then also consider a potential increase in frequency and scope of testing as DORA may mandate increased testing.
• On TPP risk management: focusing on improving mapping of TPP contracts and connections, documenting and reviewing third party vulnerabilities to help inform the development of a risk containment strategy. Truly understand what service providers are critical to the hosting of core business processes. Is there an exit strategy, or fault-tolerant architecture in place for mitigating a loss of certain critical vendors?

As DORA moves towards finalization. firms need to aware of the implementation challenges that will arise for the two-year window. Firms can stay on the front foot by taking a proactive approach to develop a realistic and achievable implementation plan.

How can Deloitte help?

Deloitte can help you along the entire journey towards compliance with DORA by assessing your current readiness and proposing measures to meet the regulatory requirements while customizing the remediation plan to your specific environment. Deloitte can help with different activities allowing you to improve your current capabilities and to implement DORA’s requirements.

Deloitte can also help you to stay on top of the regulatory agenda with its regulatory watch service and keep you up to date on the evolution of DORA and other regulations.