The Digital Operational Resilience Act (DORA) builds on existing institutional EU requirements in response to market-wide, ongoing digital transformation and evolution of potential new risks. The Act aims to set uniform requirement for the operational resilience of all financial entities operating in the EU, as part of a regulatory drive globally to maintain the financial system stability. Importantly, it also applies to critical technology partners that provide ICT related service to the financial services sector. DORA mandates that all participants in the financial services have the required safeguards in place to mitigate attacks and other risks, such as supplier failure, service deterioration, and concentration risk.
DORA represents a significant shift in how financial entities within the EU must manage and report their operational resilience, particularly in relation to information and communication technology (ICT) risk. As the Act legislation comes into full effect in January 2025, financial services must proactively prepare to navigate these new requirements.
The DORA framework revolves around five key pillars:
This blog post outlines the key steps financial entities need to take to ensure compliance and highlights the critical documentation needed under DORA.
5 Key Steps to Prepare for DORA
Develop Robust Monitoring Systems
Financial entities need to implement robust monitoring systems that can capture and report data in real time. This ensures that all stakeholders, including regulatory bodies, have access to accurate and up-to-date information regarding ICT-related risks and incidents. Real-time monitoring not only fulfils regulatory obligations but also builds trust by demonstrating a commitment to maintaining high operational resilience standards.
Enhance Contractual Documentation
DORA requires financial entities to maintain comprehensive documentation of their ICT risk management frameworks. This includes policies, procedures, and controls that outline how ICT risks are managed and mitigated. RegTech companies can assist by ensuring that all risk management activities are recorded in detail and can be easily retrieved for audits or regulatory inspections.
Obtain and Maintain Certifications
Achieving and maintaining certifications such as ISO/IEC 27001 (Information Security Management) is essential. These certifications serve as a demonstration to commitment to operational resilience and security, helping to meet DORA’s regulatory expectations. RegTech firms should prioritize obtaining these certifications and keeping them up-to-date to showcase their ability to safeguard against ICT risks.
Implement Comprehensive Testing Programs
DORA mandates financial entities to adopt robust and comprehensive testing programs for their ICT tools, systems, and processes, including those provided by third parties. Regular testing ensures that financial institutions can identify vulnerabilities and take corrective actions promptly. For systemically important entities, advanced threat-led penetration testing every three years is also required to expose and address potential risks.
Strengthen Third-Party Risk
DORA extends its regulatory framework to ICT third-party providers designated as ‘critical.’ Financial entities must assess which third-party services are critical to their operations and ensure these providers comply with DORA’s requirements. Establishing strict service level agreements (SLAs) and conducting regular reviews of third-party relationships are vital to maintaining compliance and operational resilience.
In conclusion, the implementation of DORA marks a pivotal moment for the financial services industry, requiring a proactive approach to ICT risk management and operational resilience. By focusing on robust monitoring, enhanced documentation, obtaining certifications, comprehensive testing, and strengthening third-party risk management, financial entities can effectively prepare for DORA’s full implementation.
Would you like to find out how CC1 can help your business prepare for DORA? If so, reach out to us today!
