The EU’s Digital Operational Resilience Act for financial services

The GDPR of the financial sector?

5 April 2022

What is DORA?

On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA). The legislative proposal builds on existing information and communications technology (ICT) risk management requirements already developed by other EU institutions and ties together several recent EU initiatives into one Regulation.

The DORA aims to provide a comprehensive framework in order to harmonize digital resilience processes and standards across the financial sector. DORA also aims to strengthen the authorities of the supervisors and enables direct oversight.

The requirements will apply to traditional financial sector entities, fintechs and third-party service providers of financial entities as well.

When is it coming?

The Proposal is currently being reviewed by the European Parliament and Council and is expected to enter into force by the end of 2022 summer. Once the DORA comes into effect, the requirements will apply in all 27 EU Member States and it will manifest regulation and enforcement around the management of Information and Communication Technologies (ICT) third party service providers and the implied risks, with possible sanctions.

Why compliance is crucial?

While the use of third parties is valuable for financial entities, increasing dependency results in a corresponding growth in operational risk and a potential for mismanagement. Strengthening the wider financial sector operational resilience is key and our common interest.

As a fine, 1% of the average daily worldwide turnover may be imposed. Although a 12-18 months grace period will be allowed for organizations, early preparation could be key. 

How Deloitte can help?

Deloitte's experts are ready to support organizations in establishing solid pillars of operational resilience as proposed and required by the DORA.

We offer holistic services that can support your organization from GAP analysis to implementation. We have proven tools and methodologies to help our Clients meet requirements of DORA:

  • Risk Management Framework: To meet DORA’s requirements organizations will need to have established and reliable risk management processes. Deloitte will help to align your organization’s business strategies and cyber risks, and to maintain a comprehensive and effective risk management framework.
  • Incident Reporting: DORA aims to harmonize incident classification and reporting processes. Early detection of incidents and timely response is crucial. We help our clients to adapt to the new EU reporting rules, align internal reporting processes to optimize resource allocation.
  • Resilience Testing: DORA requires financial services to test their systems based on the associated risks. This includes vulnerability scans and penetration tests as well as robust business continuity and disaster recovery testing.

    DORA introduces threat-led penetration testing (TLPT) for critical players. Deloitte Central Europe Cyber practice provides best-in-class penetration testing services due to our highly skilled professionals and technological background.
  • Threat Intelligence Sharing:  Cyber threat activities often target multiple organizations of the financial industry at the same time. The DORA’s focus on the sharing of threat intelligence will help the entire sector to become more aware and proactive in preparation to the growing number and variety of cyber-attacks. We will assist our clients in developing and integrating a process of threat intelligence sharing to ensure our clients are able to take their part in threat intelligence sharing.
  • Third-Party Risk Management (TPRM) and Monitoring: While large firms may already be applying many of the DORA's ICT risk management requirements, all impacted companies should assess whether their response and recovery strategies and plans also respond appropriately to the expanded rules in these areas. Deloitte’s TPRM framework is based on industry leading practices and global regulatory requirements and provides a holistic solution to our clients in managing complexities within third party ecosystems. By implementing TPRM platform our clients will enjoy all the benefits of an end-to-end technology platform that combines mobile data-collection, corporate and unit-level performance improvement tools, and mobile-optimized reporting and visual analytics dashboards.

Did you find this useful?