Ready for DORA? Everything you need to know

Financial institutions are increasingly vulnerable to cyber threats and ICT-related disruptions. Recognising this, the European Union introduced the Digital Operational Resilience Act (DORA), which aims to ensure that financial institutions can effectively withstand, respond to, and recover from these disruptions and become stronger afterwards. Drawing from our experience working with financial institutions, we understand the complexities involved in achieving DORA compliance. With 68% of large EU enterprises reporting at least one ICT security incident in 2022, and the average cost of a data breach reaching more than 3 million euro’s globally, the significance of DORA cannot be overstated.

This article is written by Mourad Seghir ([email protected]). Mourad is part of RSM Netherlands Business Consulting Services with a specific focus on Finance & Strategy. 

DORA applies to a wide range of financial entities within the European Union. By consulting Article 2 of DORA, it is clear which financial institutions (FIs) and third-party providers are in scope. These entities must comply with DORA's requirements by 17 January 2025. The broad scope means that any organisation operating within the financial sector, or providing critical services to it, must ensure that they meet the required standards.

What Needs to Be Considered

The regulation represents a significant change in expectations for FIs, impacting every department within an FI. After the financial crisis of 2008, a lot of supervision/governance acts where introduced but never an equivalent for cybersecurity. Now FIs need an organisation-wide approach to managing digital operational resilience. Key considerations include:

1. Governance and Organisation: All roles and responsibilities related to ICT risk management need to be clearly identified and documented. This includes the board of directors, IT teams, operational employees and risk management personnel. For instance, roles like a Chief Information Security Officer (CISO) or an ICT Risk Manager should be established, crisis teams, communication specialists, with clear reporting lines and responsibilities outlined.
2.  ICT Risk Management: Institutions must develop and maintain a comprehensive ICT risk management framework that is integrated into the overall risk management system. This framework should enable quick and efficient identification, assessment, and mitigation of ICT risks.
3. Incident Management: Implementing robust incident management procedures is crucial. This includes detecting, managing, and reporting ICT-related incidents promptly and effectively.
4. Third-Party Risk Management: Managing risks associated with third-party service providers is vital. Financial institutions must ensure that these providers adhere to the same risk management and resilience standards.
5. Information Sharing: DORA emphasises the importance of information sharing within the financial ecosystem. Institutions must establish protocols for the exchange of information and intelligence on cyber threats, both internally and with external partners.
6. Resilience Testing: Regular testing of digital operational resilience, including both basic and advanced methods like vulnerability assessments and penetration testing, is required to ensure ICT systems can handle disruptions.

What Is It That You Need to Do?

To meet DORA's requirements, financial institutions must take several practical steps. Here is a summary based on our practical experience with companies:

Governance and Accountability: Define and document all roles and responsibilities related to ICT risk management. The governance structure should ensure that the board of directors is involved in overseeing these efforts, with clear accountability at every level.

Develop an ICT Risk Management Framework: Establish a risk management framework that includes:

• Risk Identification and Assessment: Identify and categorise risks, such as cyber risks (e.g., phishing, malware), system risks (e.g., hardware failures), and real-world risks (e.g., natural disasters).
• Risk Mitigation: Develop procedures to manage and mitigate these risks, such as implementing Security Information and Event Management (SIEM) systems, antivirus programmes, and remote access tools.

Incident Management: Implement a comprehensive framework that includes:

• Detection and Classification: Utilise tools like SIEM systems, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) to monitor incidents.
• Response Protocols: Establish strategies and protocols for incident response, including communication strategies and escalation procedures.
• Post-Incident Review: Regularly review incidents to refine and improve response strategies.

Third-Party Risk Management: Conduct thorough due diligence on third-party providers, assessing their financial stability, operational capacity, and cybersecurity posture. Contracts should include clauses on risk management, security requirements, and compliance.

Information Sharing: Develop protocols for sharing information and intelligence on cyber threats. This includes both internal communication and collaboration with external stakeholders to ensure a coordinated response to emerging threats.

Resilience Testing: Regularly test digital operational resilience through:

• Vulnerability Assessments: Identify and address vulnerabilities in ICT systems.
• Penetration Testing: Simulate cyber-attacks to identify weaknesses in the organisation’s defences.
• Scenario-Based Testing: Conduct tests based on potential real-world scenarios to evaluate the effectiveness of response strategies.

Where Are the Challenges?

Implementing DORA is not without its challenges, and our experience with clients has highlighted several key areas where difficulties may arise:

1. Integration Across Departments: DORA’s requirements span multiple departments, making it challenging to ensure alignment and coordination across the entire organisation.
2. Resource Allocation: With the deadline approaching in January, the implementation and ongoing maintenance of the required frameworks and processes can be resource-intensive, necessitating significant investments in technology, training, and personnel.
3. Third-Party Dependencies: Effectively managing and monitoring third-party service providers is complex, especially when dealing with multiple providers with varying levels of readiness.
4. Supervisory Challenges: The European Supervisory Authorities (ESAs) and National Competent Authorities (in the Netherlands: DNB & AFM), traditionally focused on financial oversight, are now tasked with supervising cybersecurity for the first time. This new responsibility adds a layer of complexity and uncertainty.

Forward thinking

To successfully navigate DORA, financial institutions must adopt a proactive approach, leveraging the regulation as an opportunity to strengthen their digital resilience. Based on our experience, we have developed a practical checklist to help institutions assess their readiness and identify areas for improvement. We advise conducting a GAP analysis on these items to understand the state of compliance and what the next steps are.

DORA Compliance Checklist

This checklist, grounded in our practical experience, is designed to guide financial institutions through the complexities of DORA compliance. By regularly reviewing and updating this checklist, institutions can ensure they are not only meeting regulatory requirements but also enhancing their overall operational resilience. This proactive stance will be crucial as the January 2025 deadline approaches, helping institutions stay ahead of potential challenges and secure their digital operations against evolving threats.

RSM is thought Leader in the field of Strategy and Sustainability consulting. We offer frequent insights through training and sharing of thought leadership that is based on a detailed knowledge of regulatory obligations and practical applications in working with our customers. If you want to know more, please reach out to one of our consultants.