The EU’s Digital Operational Resilience Act for financial services
The GDPR of the financial sector?
What is DORA?
Final version of DORA has been published on 17th January 2023.
DORA aims to provide a comprehensive framework for the harmonization of digital risk management processes in the financial sector and also to help strengthen supervision and create the possibility of direct supervision. DORA provides detailed ICT risk management, resilience testing, incident reporting / management requirements as well as covers the Third-party risk management processes.
With years of grace period DORA will enter into force on the 17th January 2025. The regulation is directly applicable for all EU member states (just like GDPR).
Who will be affected?
DORA is applicable for the traditional financial sector (banks, insurance companies etc.), fintech companies, and also the critical ICT service providers of the financial organizations.
Numerous organizations need to comply with DORA who has not faced strict regulatory requirements yet (e.g. alternative investment fund management companies, crypto instrument issuers).
Watch out for detailed regulations
Regulatory technical standards (RTS) will be published in the next two years to provide detailed requirements of specific areas of DORA (e.g. incident reporting, threat-led penetration testing).
How can Deloitte help?
Deloitte professionals provide industry and technical expertise to help financial organizations assess and improve their digital resilience to ensure compliance with regulations.
We provide comprehensive services from GAP analysis to implementation. We use proven tools and methodologies to help our clients to comply with DORA:
- Risk management framework
To be able to comply with the requirements of DORA, organizations need complex, well-developed, and trusted risk management processes. We can help your organization in harmonizing their business strategy with cyber risks, and also build and maintain a comprehensive and effective risk management framework.
- Incident management
Early detection and rapid response is key in incident management. Deloitte provides end-to-end solutions from governance framework design through implementation of workflows and controls to actual incident resolution.
- Resilience testing
DORA requires the implementation and testing of Business Continuity and Disaster Recovery processes on a regular basis. Deloitte can also provide technical testing from simple vulnerability scannings and penetrations tests to complex red-teaming exercises and crisis simulations.
- Cyber Threat Intelligence
Cyber attacks often strike several parties in the financial sector with well-organized attacks at the same time. DORA can help the whole financial sector to be prepared against cyber-attacks by making the share of threat intelligence information obligatory. Deloitte helps its clients in designing and implementing resource-effective processes for the quick processing and responding of threat intelligence information.
- Third-party risk management (TPRM)
The TPRM framework of Deloitte is based on industry best practices and global regulatory requirements, providing comprehensive solutions to our clients with third-party risk management. Our team consist of legal and TPRM experts who can help our clients design and implement a comprehensive TPRM framework. We can also support you implementing industry leading IT solutions (e.g OneTrust) to comply with TPRM requirements.