top of page
Search

DORA: The New Era of Digital Operational Resilience for Financial Entities

The financial sector increasingly relies on technology, making it vulnerable to cyber threats and operational disruptions. To address these risks, the EU has introduced the Digital Operational Resilience Act (DORA), a comprehensive framework designed to bolster the resilience of financial entities (FEs). Let's explore the key points of DORA and their implications for your firm.


ree

What is Digital Operational Resilience?


Operational resilience is a financial entity's ability to withstand, adapt to, and recover from disruptions. This means having robust systems in place and the ability to bounce back quickly and effectively in the face of unexpected events.


Key Points of DORA


  1. Governance and Organisation: DORA takes responsibility for IT risk management at the board level. Boards must have the expertise to oversee DORA's implementation and ensure strong cybersecurity practices.

  2. ICT Risk Management Framework: FEs need a documented framework that defines risk tolerance levels, cybersecurity objectives, and strategies for preventing and responding to incidents.

  3. ICT Systems, Protocols, and Tools: Your technology needs to be appropriate, reliable, scalable, and resilient. Regular assessments and updates are crucial to maintain business continuity.

  4. ICT Risk Management covers a broad spectrum, from risk identification and prevention to detection and response. Implement robust security measures, conduct regular risk assessments, and have incident response plans ready.

  5. ICT Response and Recovery: Disruptions are inevitable. Have well-documented and tested business continuity and incident response plans to minimise downtime and data loss.

  6. Backup, Restoration, and Recovery: Ensure you have secure backups and reliable procedures for restoring data and services in case of disruptions.

  7. Learning and Evolving: Continuously gather information on vulnerabilities, analyse incidents, and learn from them to improve your resilience strategy.

  8. Crisis Communication: Develop clear internal and external communication plans to manage information flow during a crisis, ensuring transparency and trust.

  9. Incident Reporting and Notification: Establish procedures for classifying and reporting incidents to authorities and clients, ensuring timely and accurate communication.

  10. Digital Operational Resilience Testing (DORT): Regular testing is required to assess your preparedness for ICT-related incidents. This involves simulating disruptions and evaluating your response.

  11. Threat-Led Penetration Testing (TLPT): Advanced testing helps identify vulnerabilities in your ICT systems. Use certified testers and be mindful of data protection.

  12. Sound Management of ICT Third-Party Risk: Outsourcing doesn't absolve you of responsibility. Develop a comprehensive risk management strategy for third-party providers and maintain a register of all contracts.

  13. Assessing ICT Concentration Risk: Relying on a few providers can be risky. Assess concentration risks and consider diversifying your providers.

  14. Key Contractual Provisions for ICT Third-Party Service Providers: Ensure your contracts with TPSPs include clear terms on service levels, data protection, incident response, and termination rights.


Implications for Your Firm


DORA's comprehensive approach requires significant changes to how financial entities manage their digital operations. Here's what your firm needs to consider:


  • Board Engagement: Ensure your board is fully aware of the regulatory requirements and has the necessary expertise to oversee DORA implementation.

  • Risk Assessment: Conduct a thorough assessment of your ICT risks and develop a strategy that aligns with your business objectives and risk appetite.

  • Technology Upgrade: Invest in reliable and resilient technology solutions that can scale with your business and meet regulatory standards.

  • Incident Management: Develop and test comprehensive incident response plans to minimise downtime and data loss.

  • Third-Party Risk Management: Assess and manage the risks associated with third-party service providers, ensuring they meet DORA requirements.

  • Continuous Improvement: Establish a constant learning and improvement culture to adapt to evolving threats and technologies.


 
 

Sign up to be notified about the latest updates of what we think

The posts listed on the 'What we think' webpages are our interpretation of regulatory developments we have been reading about. They should not be considered legal, regulatory or other advice. Contact us if you want to understand the impact of public policy, regulation and governance changes for you.

bottom of page