DORA: Decoding the Impact of the Digital Operational Resilience Act on Financial Services

What is The Digital Operational Resilience Act (DORA) and how will it impact financial services firms across Europe?

For decades financial services firms have focused their efforts on mitigating financial risk, credit risk and market risk – trying to strike the perfect balance between protecting customer assets and making profits. There are a whole host of regulations in place that financial firms must follow to ensure the protection of their client’s investments. But these aren’t the only risks that financial firms should be managing, operational resilience also needs to be a key consideration.

Digitalisation is transforming the financial services sector with many firms embracing modern cloud-based platforms, online portals, and apps – to run their operations and engage with customers. This deviation to digital economical operating models has seen many new players entering the FinServ sector offering low-cost banking, credit cards, loans, and payment processing options – undercutting big name brands. These smaller players are forming an API-enabled network of integrated services and subsidiaries becoming more modern and agile in their approach to market. This has left larger players struggling to keep up as they grapple with legacy processes and systems.

But this reliance on digital systems has opened the door to a wave of new operational risks relating to system failures, ransomware attacks, data breaches and additional third-party risk elements due to a reliance on external platforms & resources. In many financial organisations, vital business services are being delivered by external providers meaning a supplier failure or data breach could put a halt to business operations, cause regulatory issues, or result in a loss of company data resulting in bad publicity.

How are regulators reacting to these new operational risks?

Regulators have been quick to react to these new operational risks facing the financial services sector in a bid to ensure these essential services are putting in measures to protect both their operations and the sensitive customer data they hold.

Regulators including the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) have been producing papers and guidance on operational resilience in the financial services sector for some time. This guidance is intended to support organisations to implement measures to prevent, adapt, respond to, and recover & learn from operational disruption.

Amid this shift to digital operating models and reliance on new technology, the EU has introduced the Digital Operational Resilience Act (DORA).

What is DORA?

DORA is a new regulation set out by the EU to guide those in the financial services sector to manage all components of digital operational resilience. It is set to become mandatory in the EU in early 2025. DORA applies to more than 22,000 financial organisations and Information and Communication Technology (ICT) Service providers operating within the EU, as well as those organisations supporting ICT infrastructure in financial services from outside the EU.

According to DORA organisations must…

“…follow rules for the protection, detection, containment, recovery and repair capabilities against Information and Communication technology (ICT) related incidents. DORA explicitly refers to ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring.” 

DORA offers guidance for financial services firms in the following areas:

• Information & Communication Technology (ICT) risk management.
• Reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities.
• Reporting of major operational or security payment-related incidents.
• Digital operational resilience scenario testing.
• Information and intelligence sharing in relation to cyber threats and vulnerabilities.
• Measures for the sound management of ICT third-party risk and contractual arrangements.
• Identification of important business services and dependency mapping.

DORA aims to make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption. Its aim is to minimise harm to customers and to safeguard the financial services sector as it continues to evolve and further digitise operating models.

What measures can organisations implement to ensure compliance with DORA?

It is clear from the initial communications relating to the DORA regulation that there are stringent requirements around cyber & IT risk management, cyber & operational incident reporting, operational resilience, business continuity planning, and third-party risk management – particularly pertaining to digital providers of software applications. Therefore, in order to prepare for DORA, organisations should look to strengthen their position in these core IT Governance, Risk & Compliance (GRC) areas. They must implement best-practice processes and embed them into operational procedures now – to prepare for the 2025 deadline.

How can GRC software support organisations to meet DORA requirements?

It is clear from the DORA guidance so far that having comprehensive processes to manage cyber risk, cyber incidents, third-party risk, and operational resilience are going to be key components to meeting the requirements outlined in the regulation. Luckily GRC software platforms offer firms a wealth of IT GRC capabilities to ensure operational resilience across a digital enterprise. 

Let’s take a tour through some of the capabilities available in the latest GRC software platforms that will support organisations to comply with many of the DORA requirements.

Risk Management – Firms should ensure they have best-practice processes in place to manage cyber & IT risk. GRC software enables firms to create multiple risk registers in the same platform to capture digital risks and run reports to view risk holistically. Firms can roll out online cyber risk assessment forms, set controls, and perform control testing – in one centralised platform.

Compliance – GRC technology enables firms to create a compliance obligations library to manage any data privacy and cyber-related requirements relating to regulations such as ISO 27001, GDPR, CCPA, and PCI DSS. Firms can implement strict governance procedures & policies to ensure compliance with data privacy regulations and manage regulatory change with comprehensive workflows to automate the process.

Third-Party Risk Management – In a GRC platform, firms can create an online vendor library -making it easier to manage and track vendor relationships & understand the risks they pose. Organisations can roll out vendor risk assessments with conditional workflows and transparent scoring methodologies – streamlining the vendor benchmarking process – allowing organisations to consistently evaluate and compare vendor risk profiles. They can implement automated monitoring of key metrics like SLAs, KPIs, and industry benchmark standards to provide continuous oversight of vendor performance. Empowered by the information risk-related data produces, organisations gain clarity when comparing vendors, allowing them to standardise the onboarding and offboarding process and manage contract renewals centrally.

Asset Management – With DORA requirements heavily focused around the cyber aspect of GRC, it is important for firms to ensure their IT equipment & software licences are up to date. Online asset management facilitated by GRC software enables better asset management of hardware, and software licenses – ensuring all equipment and licences are up to date and fit for the job. 

Policy Management – All IT and cyber related policies and procedures can be managed consistently and stored in a central online repository with workflows to flag expiry dates and automate signoff, approval processes, and employee attestations.

Strategic Planning – Using strategic planning capabilities within GRC software, organisations can plan out their IT and cyber related strategic goals & objectives. Once defined, software capabilities will make it easy to break down these top-line goals into smaller tasks, projects, and actions that can be allocated out across the organisation for completion. As tasks are fulfilled, progress is indicated – making it easy to see how the strategy is progressing at all levels of the business. Ensuring your strategic goals include plans for IT infrastructure will futureproof the organisation.

Audits – Financial organisations are subject to a wide variety of audits, inspections, and checks. Within GRC software, organisations can schedule and manage internal and external audits and formalise the results and required actions – providing a complete history of all cyber audits and their findings and any outstanding actions.

BCM & Operational resilience – With many organisations relying on multiple digital systems to run their operations, part of DORA compliance will focus on organisations having robust business continuity plans in place. This is essential to ensure operations can keep running no matter what happens. The loss of the internet, the failure of a supplier or software solution, or a data breach should not halt operations – and organisations need to have plans in place for all eventualities. Software can support the creation of BCM plans, business impact assessments, and business process modelling – making it easy to understand the impact of a cyber incident in terms of cost, downtime, and man hours lost.

Act Now to Become DORA Compliant By 2025

With 2025 just around the corner, financial services organisations need to begin altering their processes now to align with the new requirements. Teams should be familiarising themselves with the regulation and performing a comprehensive gap analysis to understand which areas will require a major overhaul to comply. Those that already use modern GRC software to manage IT & cyber risk, cyber incidents, third-party risk, and business continuity planning will be in a strong position to meet the requirements outlined in the DORA regulation.

If you are in a financial services organisation and relying on manual processes like spreadsheets and emails to manage cyber risks and incidents or your operational resilience plans are not aligned with your digital operating model – you should start to look for a platform that offers best practice solutions to effectively manage these areas. If you would like to see how the Camms platform can support your organisation to implement best-practice processes that can support many of the requirements outlined in the new DORA regulation, request a demo.