Digital Operational Resilience Act (DORA): decoding the european regulation

On November 10, 2022, the European Parliament adopted the proposed regulation on the operational resilience of digital systems in the financial sector, known as the Digital Operational Resilience Act (DORA). This agreement establishes a specific framework to strengthen resilience and address the increasing number of emerging challenges. Published in the EU Official Journal (OJUE) on December 27, 2022, the regulation came into force in early 2023 and will apply from 2025 across the 27 EU member states. But what are the implications for the financial sector, and why must the industry comply with this new European regulation?

DORA: Regulatory Context and Strategic Objectives

What is the regulatory context?

The operational resilience for the financial sector in the digital realm, commonly referred to as "DORA" (Digital Operational Resilience Act), is a law passed by the European Parliament that aims to establish uniform requirements to achieve a high level of digital operational resilience.

What is operational resilience? Why DORA?

Digital operational resilience refers to the ability of businesses to maintain their operational integrity in the face of disruptions related to ICT. DORA, a EU regulation, sets a normative framework for digital operational resilience, standardizing rules for all regulated financial institutions. It constitutes the first legislative consolidation of common rules regarding ICT-related risks in the financial sector. Moreover, DORA introduces an EU-wide supervisory framework for third-party ICT service providers deemed "critical" to financial entities, ensuring adequate European oversight.

What are DORA's objectives?

The aim of DORA is to provide a clearer basis for EU regulators and financial supervisors to expand their role. Beyond ensuring the financial resilience of companies, DORA also seeks to guarantee that they maintain robust operations in the event of a major disruption related to their IT systems. This initiative aims to shape a competitive European financial sector, offering consumers access to innovative and secure financial products while ensuring overall financial stability. A key feature of DORA is its ability to identify potential gaps and integrate remediation actions into the entities' digital programs.

The impact of DORA on businesses, especially in the financial sector, is expected to be significant. This legislation establishes a crucial framework to strengthen digital operational resilience, ensuring that financial entities can effectively withstand disruptions related to information technology and increasing interconnectivity among actors. At RSM, our role is to support regulated companies in implementing DORA, ensuring they remain competitive, innovative, and capable of maintaining financial stability while staying in compliance with regulatory requirements. RSM helps and advises numerous private and public sector actors in improving their cybersecurity posture and implementing necessary work to comply with the requirements and principles of DORA, with services including:

• Implementation of ISMS (ISO 27001)
• Security Audits
• Training and Awareness
• Information Management and Security
• Incident Management Maturity Assessment
• Penetration TestingImplémentation de SMSI (ISO 27001),
• …

What are the 5 pillars that frame digital operational resilience?

DORA aims to simplify and update ICT risk management rules. This includes a focus on incident reporting, digital operational resilience testing, information sharing, and third-party supply chain risk management. The primary goal is to assess all gaps and include remediation actions within their own digital programs. The key requirements and considerations within DORA are summarized in five main themes:

1 - ICT Risk Management

DORA requires the establishment of a comprehensive ICT risk management framework, essential for strengthening financial companies' resilience. It is the responsibility of the management body to assume ultimate responsibility for ICT risk management within the financial entity. For example, creating a coherent governance and control framework is a concrete step to ensure that ICT risks are effectively managed. Integrated into an overall risk management system, this framework fits into a digital operational resilience strategy.

2 - Information Sharing Mechanisms

To raise awareness of growing ICT-related risks and limit their impact while supporting entities' defense capabilities, the regulation suggests that entities implement mechanisms to share information on cyberattacks and other cyber threats with each other, as well as intelligence via dedicated platforms.

3 - Risk Management of Third-Party ICT Service Providers

Inspired by national, international, and industry norms, directives, and recommendations, the requirements are structured around specific functions in managing ICT-related risks:

• Identification
• Protection and prevention
• Detection
• Response and recovery
• Learning
• Evolution and communication

To be resilient against ICT-related risks, financial companies must have a documented, solid, and comprehensive process in place that accounts for all external factors that could permanently halt their activities.
 

4 - Digital Operational Resilience Testing

DORA describes the obligation to implement a risk-based, proportional digital operational resilience testing program as an integral part of risk management. The program includes conducting a full range of appropriate tests such as vulnerability assessments, open-source analyses, and network security evaluations to address threats.

5 - ICT Incident Management, Classification, and Notification

The establishment of a standardized incident reporting mechanism aims to reduce administrative burdens for financial entities, thus enhancing the effectiveness of supervision. This reporting follows a standardized model and a harmonized procedure for optimal handling: detecting, managing, and notifying ICT incidents. Major incidents must be reported to the management body and relevant authorities. This report will be made using a common template, which will be defined by the European Supervisory Authority (ESA). Additionally, entities can voluntarily report advanced cyber threats.

In conclusion, the key themes addressed by this regulation, such as governance, information sharing, third-party cyber risk management, operational resilience testing, and incident reporting processes, are the pillars of the regulation and demonstrate the importance placed on building a resilient and secure digital infrastructure. At RSM, we provide solutions for each of these areas.

The concept of operational resilience emphasized by the European legislator focuses on the need to evolve how companies approach operational risk management, shifting from a focus on risk prevention and loss mitigation to a more comprehensive and proactive approach. The European legislator has recognized that incidents, even those that are unlikely, can occur, and businesses must be ready to address them while ensuring the continuity of critical or important activities and services.
 

How will DORA impact organizations?

Which entities are affected?

DORA rules are intended to cover a wide range of businesses in the financial sector, as well as ICT service providers operating within the European Union, who will have to meet requirements applied proportionally depending on the size and profile of the business. Here is a non-exhaustive list of entities affected by DORA:

• Credit institutions
• Payment institutions and electronic money institutions
• Crypto-asset service providers
• Central securities depositories
• Trading platforms
• Investment fund managers and management companies
• IT service providers
• Insurance and reinsurance companies and intermediaries
• Pension institutions
• Rating agencies
• Auditors and audit firms
• Administrators of critical benchmarks
• …

DORA therefore addresses a large group of users and defines a uniform framework that includes banks, insurance companies, payment service providers, and other financial sector players. Only "micro-enterprises" with fewer than 10 employees and annual revenues of less than 2 million euros are exempt.

What are the key dates to remember?

With direct application from January 17, 2025, the regulation harmonizes European standards for all EU member states.

Note that a directive (2022/2556) accompanies this regulation by incorporating references within the existing EU legislative framework, including CRD IV, DSP2, BRRD, Solvency 2, IORP2, MiFID 2, AIFM, among others. It must be transposed by member states by January 17, 2025.

To anticipate these changes, market players and ICT service providers concerned should begin preparing internally now, assessing the operational and strategic impacts of this new regulation and implementing an appropriate policy.

To facilitate this transition, the European Commission will publish a set of regulatory technical standards (RTS) and implementing technical standards (ITS) in collaboration with European supervisory authorities (EBA, EIOPA, ESMA). The publication of RTS and ITS will occur in two stages, with the first part published in January 2024 and the second in July 2024.

Below is a graphic of the different phases undertaken for the adoption of DORA:

In conclusion, the key themes applicable to this regulation, such as governance, information and data sharing, third-party risk management, operational resilience testing, and incident reporting processes, demonstrate the importance of building a resilient and secure digital infrastructure.