The Digital Operational Resilience Act (DORA) is here has been saved
The Digital Operational Resilience Act (DORA) is here
The status of some organizations in their DORA implementation journey and challenges you may encounter
DORA is live since January 16th 2023, with a 24-month implementation timeline being granted by the EU. Therefore, financial entities have just under two years to become compliant with this new ICT risk management regulation.
DORA is an initiative from the EU to streamline previous ICT regulations and unify the approach of financial entities towards ICT risk management, as well as to strengthen their operational resilience. The requirements of DORA are spread out across four pillars: ICT Risk Management, Incident Reporting, Digital Operational Resilience Testing, Third-Party Risk. In preparation for the release of this regulation, Deloitte performed an extensive survey of financial entities that encompassed where they stand in their implementation journey, as well as the challenges that they anticipate facing through this process. Deloitte has therefore gained valuable insight to enable further support and guidance to help clients reach their compliance goals over the coming months.
What do the coming months look like? Insights shared and a view on expected challenges
Current Status of the Implementation Roadmap
January 17th 2025 is the ultimate deadline prescribed by the EU that financial institutions should be working towards. Since June 2022, when this deadline was announced by the EU, financial entities have had the opportunity to plan their roadmap to achieve their compliance with this new regulation. Failure to comply will result in hefty administrative fines, remedial measures and criminal penalties* from the EU member states adding an extra layer of pressure on financial institutions. However, our survey demonstrated that only 29% of the surveyed financial entities have a roadmap in place, the rest of the surveyed financial entities have chosen to start their roadmap in 2023 and some in 2024.
Challenges in Implementation of the DORA
Based on experience with clients and insights gathered from the survey, Deloitte foresees the main challenges in implementation per pillar to arise in the following areas.
- Lack of budget to build the program management and roadmap of DORA
- Complexity of performing system mapping and creating an asset catalogue
- Identifying dependencies on critical third-party providers> Performing Business Impact Assessments
- Communication process to authorities of ICT and security incidents
- Testing an annual incident response plan while considering critical or important functions and critical third-party providers
- Performing a timely root cause analysis of ICT related incidents including reporting to internal and external stakeholders
- Assesment of exposure to customers and counterparties in case of significant cyber threat exposure
- Inclusion of the critical third-party providers and services outsourced or contracted to ICT third-party services providers in regular (once every three years or once per year based on complexity and risk profile) financial entity's threat led penetration testing
- Focus on the scenario-based testing and coverage of the critical and important functions as integral part of the resilience testing (applicable to all financial entities except microenterprises)
- Performance of threat led penetration testing
- Establishing effective remediation and follow up process to address vulnerabilities
- Availability of qualified parties to conduct threat led penetration testing
- Regular review of strategy on ICT third-party risk
- Establishing an effective process to verify compliance of ICT third party providers prior to contracting phase
- Drafting and enforcing supplier contracts meeting numerous specific requirements of the regulation
- Defining the multi-vendor strategies with obligation to conduct concentration risk assessments of all outsourcing contracts
To be ready for DORA, Deloitte launched a survey between November 2022 and January 2023. The Deloitte survey covered 20 entities across 20 countries in Europe. The survey provided an overview of the readiness of financial entities as well as their approach to tackle DORA, and the main issues the surveyed financial entities are facing in their implementation. The main industry stakeholders of DORA, based on the survey, are banking at 41%, insurance at 31%, card issuer and acquirers at 24%, and payment service providers at 4%. To have access to the survey and gain insights on how financial entities are tackling DORA, please feel free to reach out to one of our contacts below.
The DORA requires the ESAs to develop 13 secondary technical instruments in two distinct batches, respectively due by 17 January 2024 and 17 July 2024. The first batch (published on 19th June 2023) includes four Regulatory Technical Standards (RTSs) and one Implementing Technical Standard (ITS) as set out below and is open for public consultation until the 11th September 2023:
- RTS on ICT risk management framework;
- RTS on simplified ICT risk management framework;
- RTS on criteria for the classification of ICT-related incidents;
- ITS to establish the templates for the register of information; and
- RTS to specify the policy on ICT services performed by ICT third-party providers.
Support from the EU on Policy Implementation
Our services, aimed at supporting entities to comply with DORA, are eligible for (co-) funding by the EU under the Digital Europe Programme (DIGITAL). The budget for the digital operational resilience actions covered by this Work Programme is EUR 269 million distributed as follows:
- A budget of EUR 177 million for actions related to the “cyber-shield” announced in the EU Cybersecurity Strategy, including Security Operation Centres (SOC);
- A budget of EUR 83 million for actions supporting the Implementation of relevant ICT management EU Legislations;
- A budget of EUR 9 million for programme support actions, including evaluations and reviews.
In addition, actions supporting the deployment of the Secure Quantum Communication Infrastructures (QCI) are included in the Digital Europe Work Programme for 2021-2022, with an indicative budget of EUR 170 million. Our experts on DORA can advise you on how to apply for EU funding to develop actions aimed at strengthening ICT risk and Digital capabilities in the EU financial sector.
How Deloitte Can Help
A two-year window might seem long but when one considers the challenges and requirements of DORA, it is but a short period within which to take cognizance of where you are at and the gaps needing to be filled to get you to where you need to be.Deloitte has experience and expertise in this domain. From performing a readiness assessment right through to assisting you with your implementation plan, Deloitte has diverse capabilities and insight that will enable you to move forward towards DORA compliance.