Key takeaways

DORA introduces binding EU regulations effective from January 2025.
DORA aims to strengthen the financial services sector’s resilience to incidents impacting Information and Communications Technology (ICT).
The act requires middle market business leaders to implement contingency plans and establish more robust and secure systems.

In an era defined by rapid digital transformation where technology has become integrated into everyday operations, the vulnerability of businesses to cyber threats and operational disruptions has become more pronounced. 

Recognising the need for a comprehensive framework to address these challenges, the European Commission has introduced the Digital Operational Resilience Act (DORA), creating a binding EU regulation to strengthen the financial services sector’s resilience to incidents impacting Information and Communications Technology (ICT). 

The act, which will come into effect in January 2025, is designed to establish a unified framework across the European Union, ensuring that the financial sector has all the necessary safeguards in place to mitigate cyber incidents. These safeguards might include robust systems, contingency plans, information sharing, and having response mechanisms in place to effectively manage and mitigate operational disruptions. 

DORA will outline five core technical standards: 

  • An incident response plan  
    Companies will be required to create an incident response plan to include a detailed description of what constitutes a cyber incident, how employees should respond, and outline how operations will be restored if there is a security breach.  
     
  • A cybersecurity programme  
    Implement an assessment of the risks posed by cyberattacks and a prepare and maintain a cybersecurity risk mitigation plan.  
     
  • Security controls over digital infrastructure  
    Organisations will be required to implement and maintain appropriate security controls over its digital infrastructure. These controls should include encryption, authentication, access controls, audit trails, monitoring systems, event management systems, and incident response plans.  
     
  • Reporting  
    Incidents must be reported so that regulators can assess their vulnerabilities and make recommendations for improving their security posture.  
     
  • Continuity planning and threat led resiliency testing  
    Companies should have a business continuity plan to maintain operations and service delivery during any potential disruptions and should test these plans against realistic scenarios. 

But what does this mean for the middle market? 

The introduction of DORA is a positive piece of legislation that middle market businesses will have to adhere to. It requires middle market business leaders to implement contingency plans and more robust and secure systems. The purpose will ultimately be to strengthen organisational resilience to cyber-related incidents and to reduce the risk of cyber incidents impacting the Financial Services sector and regulatory fines resulting from cyber and data breaches and the associated reputational damage. 

While IT risk management and security implementation may seem to be a time-consuming and costly process, with the right level of senior level sponsorship and steer, a good understanding of risk and compliance and smart deployment of technical expertise and financial investment organisations can ensure that cybersecurity is effectively introduced, understood and maintained. In comparison to larger companies, middle market businesses could be at a disadvantage, as larger businesses might already have controls, systems and processes in place or have more flexible budgets to introduce and maintain them effectively. 

On the other hand, once the act is passed into law, the organisational structure of middle market businesses could position them for greater success in implementing change. Medium-sized organisations tend to have a more digital-first nature and a more modern, flexible and adaptable ICT environment, with more agility embedded into their ways of working, in comparison to larger, often process-heavy organisations. 

Businesses in the middle market will need to be prepared when approaching this challenge. Introducing robust systems and plans to mitigate cyber-incidents can put demand on resources already managing day-to-day operations and create a financial challenge. Planning ahead is essential, and there are a number of interdependencies to consider, with different skills, knowledge and practical experience needed to be successful. Bringing in and working with the right experts in this field will ultimately help a business to take an efficient approach to understanding and implementing DORA proportionate to its risk profile, operations and capabilities. 

By Sheila Pancholi, partner and national Technology & Cyber Risk Assurance lead at RSM UK.