Skip to main content

Exploring DORA

A new challenge for the European Financial Services Sector

How DORA came to be

The European Commission first published its draft Digital Operational Resilience Act (DORA) regulation in 2020 to:

  • Harmonize information and communications technology (ICT) security and digital resilience for financial entities and ICT third-party service providers across the EU
  • Strengthen existing laws and regulations to support EU’s financial service digital strategy
  • Support the digitalisation of EU financial services
  • Create a framework for European Supervisory Authorities (ESAs) to be more involved in monitoring compliance with DORA requirements.

The final version of DORA could be published any day now…

In-scope entities should not delay their regulatory compliance journey any longer. The final version of DORA was published on 16 January 2023, beginning a 24-month implementation period during which entities must implement necessary measures to meet DORA requirements.

In addition to DORA requirements, you should also monitor the publication of additional Regulatory Technical Standards (RTS), which will start being released by ESAs 12-18 months after DORA’s entry into force. The RTS must be implemented by the end of the full 24-month period when DORA will become applicable.

How will DORA affect your business?

The current version of DORA introduces new obligations. Although the topics addressed are not completely new, they are precisely defined and have specific implementation steps. An entity’s ability to face these obligations can help to demonstrate its overall digital maturity.

Some financial industries, already regulated on topics addressed by DORA, will focus more on updating and adapting their existing measures. This is the case for the banking sector, which is already subject to comprehensive ICT and digital resilience requirements under EU Law.

For other sectors, such as Investment Management, requirements before DORA have not been as stringent so implementation will be more intensive. If your firm is in this sector, you might need to define new measures for their specific digital environment. Correctly assessing your firm’s current level of readiness is crucial to defining an action plan that is customized for each entity in a cost/benefit approach.

DORA and NIS2

The Network and Information Security (NIS) Directive is the first piece of EU-wide legislation on cybersecurity and aimed to achieve a universally high level of cybersecurity across Member States. While NIS increased Member States' cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation across the internal market. To respond to growing threats posed by digitalization and cyber-attack surges, the European Commission submitted a proposal to replace the NIS Directive with the Network and Information Security 2 (NIS2) Directive.

Both DORA and NIS Directive cover topics to increase digital resilience in the European Union and to reduce the impact of cyber incidents. However, DORA clearly states that the NIS2 Directive still applies, and the overlap between NIS2 and DORA is avoided thanks to a lex specialis provision contained in DORA which gives it precedence over the Directive, which is lex generalis.

DORA and GDPR

Even though DORA does not introduce specific personal data protection rules, it targets your information systems security, which indirectly affects firms’ GDPR compliance. DORA requirements do not take precedence over GDPR requirements but builds on them, which means that GDPR provisions continue to apply.

Personal data breaches (under GDPR) and ICT-related incidents (under DORA) have similar requirements but some key differences in application. For instance, you will have to report one incident to both the competent authority under DORA and notify the competent data protection authority under GDPR. The deadline to submit such notifications will also be different: where GDPR allows for up to 72 hours to notify after you become aware of a data breach, DORA sets a general deadline of “end of business day” to notify. This example illustrates how DORA and GDPR will interact; DORA requirements are generally broader, and compliance with them will, in many cases, mean compliance with GDPR requirements. However, your firm will still have to assess compliance with each separately as each law targets distinct aspects of similar subject matter.

What’s next on your DORA journey?

Some actors in the financial sector, such as large cross-border groups, which have a high overall level of maturity might already have a great amount of ground covered when preparing for DORA compliance.

Supervisors, however, are likely to expect better-developed capabilities from larger entities, and market-leading capabilities in entities where operational disruptions could have systemic consequences due to the criticality of their services. All entities are, therefore, likely to be challenged by DORA and the 24-month implementation period. There’s no time to waste as you begin to plan for DORA implementation today.

You should now assessyour readiness for meeting DORA requirements, while considering their specific industry, to perceive the complexity of your unique compliance journey.

As the ESAs develop and publish new RTS during the initial 12-18 months of the implementation period, you should also monitor and implement RTS when published.

Given the breadth of topics addressed by DORA, you should launch a coordinated project to cover all DORA requirements while capitalizing on your existing digital security and resilience measures. Top management support will be key to success, as DORA requires their involvement in managing digital resilience.
 

In-scope entities like yours should consider five main pillars when launching your DORA compliance journey:

ICT risk management is not a novel concept – but a thorough and extensive revision of your entity’s current practices and frameworks is necessary. DORA requires your management body to take overall responsibility for setting and approving your entity’s digital operational resilience strategy. Additionally, entities must set risk tolerances for ICT disruptions supported by KPIs and risk metrics that satisfy the increased level of ICT-security set out by DORA. Supervisors will assess the entity’s ability to perform business-impact analyses based on “severe business disruption” scenarios and to complete remediation work to address vulnerabilities.

ICT risk management also includes creating a communication strategy and assigning a point person for greater transparency regarding ICT-related incidents or vulnerabilities. Moreover, DORA requires your in-scope entity to map and understand the interconnections between their ICT assets, processes, and systems.

DORA’s incident reporting framework will challenge entities to improve their ability to collect, analyze, escalate, and share information concerning ICT incidents and threats. Consequently, you will need to classify the quantitative impact of incidents and analyze their root causes. DORA also requires that your entity provide protection measures to defend against threats.

The centralization of ICT-related incident reporting will require ESAs – in consultation with the European Central Bank (ECB) and the European Union Agency for Cybersecurity (ENISA) – to prepare a joint report assessing the feasibility of a “central EU Hub,” which will either directly receive relevant reports and automatically notify national competent authorities or serve a coordinating role by centralizing reports forwarded by national competent authorities. In-scope entities must submit the report by the end of the 24-month implementation period.

Please note that the final text no longer contains the originally proposed reporting deadlines, instead delegating this to the ESAs to be specified in RTS in the 18 months following entry into force. This means that in-scope entities will not have a clear view of the operational implications of the new reporting framework for some time.

Entities should be familiar with and have processes related to digital operational resilience testing and ICT tool and systems testing. Specifically, DORA establishes the framework for in-scope entities to conduct appropriate security and resilience tests on their “critical ICT systems and applications” at least annually and fully address any identified vulnerabilities.

Additionally, entities above a certain threshold of systemic importance and maturity will need to conduct “advanced” Threat-Led Penetration Testing (TLPT) every three years. Negotiators specified that TLPT methodologies should be developed in line with the ECB’s current existing TIBER-EU (Threat Intelligence-Based Ethical Red-Teaming) framework , and locally with the transposed TIBER-LU framework. Entities starting to familiarize themselves with TIBER testing methodology are already a step ahead because TIBER will count toward DORA advanced testing requirements.

DORA’s third-party risk management requirements contain multiple contractual terms that entities must include in ICT outsourcing contracts by the end of the 24-month implementation period. You will have increased responsibility when engaging with third-party service providers in the form of stricter obligations and concentrated risk assessment requirements for all outsourcing contracts supporting the delivery of critical and important functions.

Finally, DORA will strengthen the framework for control over third-party providers with the creation of a “Lead Overseer” that will – among other tasks and responsibilities – monitor the compliance of critical ICT third-party providers (CTPPs) and will have the power to ask them to strengthen security practices and sanction them if they fail to comply. This will put pressure on CTPPs to demonstrate that they can improve their operational resilience and processes that support in-scope entities—particularly for critical functions of financial entities.

Additionally, DORA establishes the Joint Oversight Forum (JOF), which will play an important role in developing best practices for CTPP oversight and should help establish a clearer standard for their expected level of resilience.

Did you find this useful?

Thanks for your feedback

If you would like to help improve Deloitte.com further, please complete a 3-minute survey