Digital Operational Resilience Act (DORA) – ensuring security and resilience in the financial sector

The security of digital systems is of crucial importance for financial and information and communication technology (ICT) service providers. With the Digital Operational Resilience Act (DORA), a law came into force in January 2023 that regulates the operational resilience of digital systems in the financial and insurance sector. They now have until 17 January 2025 to implement the DORA regulation. This article is intended to help you understand the relevance, impact and requirements of DORA and make the necessary preparations in good time.

What is DORA?

DORA, or Digital Operational Resilience Act, was introduced on 16 January 2023 to address the challenges of increasing dependence on ICT systems and third parties in the financial sector. The objectives of DORA are to reduce risks, strengthen the resilience of ICT systems and processes and standardise European laws and regulations in the financial sector. DORA will be operational from 17 January 2025.

Companies concerned

All financial organisations, including credit institutions, payment institutions, investment firms, insurance companies, etc. are affected by DORA. In addition, so-called “critical ICT service providers” – providers of cloud services, software development, payment services and more – must fulfil the requirements of DORA.

Regulatory focus of DORA

DORA defines five regulatory priorities:

1. ICT risk management

• Governance: Financial organisations need to establish an effective internal governance and control framework, overseen by a responsible and well-informed governing body, to manage ICT risks and ensure digital operational resilience.
• ICT risk framework: Financial organisations must establish a detailed ICT risk management framework as part of their overall risk management framework, covering all ICT assets and reviewed regularly, being transparent with authorities and developing strategies for digital resilience and the use of multiple ICT service providers.
• Methods, processes and policies: Financial organisations must use up-to-date, reliable and appropriate ICT systems, protocols and tools to ensure accurate data processing and service delivery as well as technological resilience, even under challenging conditions.

2. Business continuity management

Financial organisations need to develop specialised ICT business continuity policies, test regularly and ensure through independent internal audits that data backups, redundant systems and the integrity of data after recovery are guaranteed.

3. Testing digital operational resilience

Financial companies must establish a comprehensive testing programme for their digital operational resilience that includes at least annual, risk-based and independent testing of critical ICT systems, with identified issues systematically remediated and specific tests such as Threat-Led Penetration Tests (“TLPT”) conducted every three years.

4. Management of ICT third-party service provider risks

Financial organisations need to develop a strategy for managing ICT third party risk as they are fully responsible for compliance with regulatory requirements. They must be careful when selecting and evaluating third-party providers, consider audit and cancellation rights in contracts and develop exit strategies for external ICT services.

ICT third-party service providers are considered critical if

• their default risks of an operational disruption have potentially systemic consequences,
• they are of great importance to many financial organisations, and
• they are not easily replaceable.

A lead monitoring authority is appointed for each critical third-party ICT service provider, which informs the service provider of the classification and the date from which monitoring begins.

5. Incident reporting

• Process for handling and classifying ICT incidents and cyber threats: Financial organisations must establish a comprehensive process for handling, monitoring and reporting ICT-related incidents that includes clear procedures, responsibilities and response measures and classifies incidents and cyber threats based on their criticality.
• Reporting of ICT incidents and cyber threats: Financial organisations must report serious ICT-related incidents to a designated authority, with the reporting process including initial, interim and final reports. Customers must be informed immediately of serious incidents.

Consequences for critical ICT third-party service providers

Critical ICT third-party service providers are under increased scrutiny from EU financial regulators. They must fulfil extensive audit and compliance requirements, develop contingency and recovery plans, take responsibility for their supply chain and enter into strategic partnerships. The implementation of standard contractual clauses requires precise knowledge of the legal framework.

• Application of DORA
  Every ICT provider must check whether their organisation belongs to the group of providers of so-called “critical third-party service providers”. If this is the case, they must fulfil all DORA requirements and help their customers to comply with them.
• Supervisory body
  Critical ICT third-party service providers are placed directly under the control of the EU financial supervisory authorities. ICT service providers must be prepared for more intensive monitoring and assessment by financial companies and regulatory authorities.
• Audit and compliance requirements The
  fulfilment of extended audit rights and compliance with the diverse and complex regulatory requirements will pose a considerable challenge. Service providers will have to organise and present their internal processes more openly. They will also have to be involved in carrying out TLPT tests.
• Emergency and recovery plans
  The development and regular updating of emergency and recovery plans is mandatory. Corresponding documentation and tests of the plans must be verified. Third-party ICT service providers must fulfil the legal requirements for digital operational resilience.
• Responsibility for the supply chain
  ICT service providers must ensure the security and compliance of their own supply chain.
• Strategic partnerships The
  role of the ICT service provider will change from a pure provider to a strategic partner that is integrated into the risk management of financial companies.
• Standard contractual clauses
  Adapting to and implementing standard contractual clauses requires precise knowledge of the legal framework and possibly also negotiations with customers.

Our consulting services for you

We offer a wide range of consulting and services to support you in overcoming the challenges of the Digital Operational Resilience Act (DORA). Our expertise ranges from risk management assessments and DORA readiness assessments to the design of business continuity management (BCM) and penetration tests. Discover how we can strengthen your digital operational resilience.

• Risk Management Assessments
• DORA Readiness Assessments
• DORA reporting processes
• Dashboards & KPI
• BCM assessments & conception
• Penetration tests
• Sourcing & contract review
• Project management (hybrid, agile etc.)
• Process design
• ITIL 4 (Incident Management)
• Service provider risk management

Conclusion

The implementation of DORA is both a necessity and an opportunity for financial organisations and critical ICT service providers to ensure digital operational resilience.

With our experience in project management, process design, ITIL 4 (incident management) and service provider risk management, we offer comprehensive solutions to make your organisation DORA-compliant. Our dashboards and key performance indicators (KPIs) provide the necessary transparency. Rely on the expertise of mgm consulting partners when it comes to not only fulfilling the requirements of DORA, but also effectively protecting your digital resources and strengthening your resilience to digital challenges. You will be ideally equipped to shape the future of the digital financial world.

Further background information can be found on the BaFin website.