Contents
Today, the financial sector increasingly depends on technological innovations and tech companies to deliver quality financial services. The COVID-19 pandemic also contributed to the financial institutions' reliance on the availability of digital systems for day-to-day, remote operations. However, this makes them more vulnerable to cyber incidents and attacks.
Kroll's 2023 Fraud and Financial Crime report stated that 68% of global leaders and cyber risk analysts believed financial crime would rise over the next 12 months. Another 56% of the respondents believed that emerging tech was one of the biggest contributors to financial crime, with cybersecurity and data breaches being the biggest drivers.
If managed poorly, ICT risks can disrupt financial services across different regions. In turn, this can significantly impact other companies, sectors, and other economic aspects, highlighting the importance of the financial sector's digital operational resilience.
The European Union enforced the Digital Operational Resilience Act (DORA) to reduce disruptions and strengthen the financial sector.
Join us as we dive deeper into DORA's scope, application, pillars, and implications. We will also examine how GRC software can help meet the Act's compliance requirements.
What is the Digital Operational Resilience Act (DORA)?
The EU enforced the Digital Operational Resilience Act (DORA) last January 2023, but organizations have two years to comply.
The Act aims to strengthen the financial institutions' IT security and ensure the EU's financial sector can stay resilient during a severe operational disruption.
DORA will affect more than 22,000 financial institutions and ICT service providers operating in the EU, encompassing banks, central counterparties, investment firms, trading platforms, and other financial market institutions.
What are the pillars that firms should adhere to?
DORA's pillars are ICT Risk Management, ICT-related Incident Management, Classification & Reporting, Digital Operational Resilience Testing, ICT Third-Party Risk Management, and Information Sharing Arrangements.
ICT risk management
The EU's Digital Operational Resilience Act (DORA) establishes new cyber risk management requirements for financial institutions. Under DORA, firms must fully manage ICT risks, with senior leadership setting risk tolerances and overseeing policies concerning ICT Third-Party Providers (TPPs). Regulators can enforce remedies for non-compliance.
Key obligations include asset mapping, identifying critical business functions, conducting impact analysis of severe disruption scenarios, and setting quantifiable cyber risk metrics.
DORA represents a significant expansion of regulatory compliance obligations for financial services organizations for operational and technology resilience.
Understanding DORA's risk-based approach will enable firms to implement effective compliance programs focused on business continuity, disaster recovery, and overall cyber defense.
ICT-related incident management, classification & reporting
Another key component of DORA is streamlining incident notification processes for financial firms across the EU.
Under the new rules, organizations must implement robust capabilities for detecting, assessing, categorizing, and reporting cyber incidents based on DORA's criteria and guidance from European regulatory bodies. For major incidents, rapid notification to regulatory authorities and impacted customers is required.
To comply, financial institutions will need to establish clear workflows for cyber incident response, leverage technologies like Security Information and Event Management (SIEM) for detection and implement integrated GRC platforms to automate reporting and ensure adherence.
For multinational financial services firms, aligning processes across jurisdictions to meet DORA's harmonized incident disclosure standards will enhance resilience and transparency.
Digital operational resilience testing
DORA also introduces extensive cyber resilience testing mandates for financial firms to evaluate preparedness. Financial firms must regularly test their ICT risk management frameworks, identify gaps, and implement fixes to strengthen defenses. Testing programs should align with organizational risk profiles and scale. For higher-risk scenarios, DORA requires advanced threat simulation through red team exercises that imitate real-world attacks.
To meet these obligations, financial institutions must develop comprehensive testing regimes spanning vulnerability assessments, penetration testing, cyber range simulations, and crisis scenario drills. Leveraging GRC platforms with integrated testing modules can help coordinate and automate testing while providing evidence for regulators.
Robust cyber resilience testing is essential for financial firms to demonstrate operational readiness under DORA.
ICT third-party risk management
DORA's TPRM requirements significantly expand on existing ESA Guidelines, expanding coverage to non-cloud Service Provider (CSP) ICT outsourcing. Under the new rules, organizations must implement robust monitoring and due diligence processes for all critical ICT providers.
That includes conducting supplier concentration risk analysis, justifying outsourcing decisions for key functions, and adopting multi-vendor models where prudent. Contracts must enable comprehensive monitoring through detailed service levels, data processing transparency, and accessibility rights. DORA also aims to harmonize third-party risk supervision at the EU level.
Meeting these obligations will require financial institutions to enhance vendor risk management programs, leverage advanced GRC platforms to centralize provider data, and collaborate closely with regulators on oversight mechanisms. Managing third-party cyber risk is now a top regulatory priority that firms must address as part of their DORA compliance strategy.
Information sharing arrangements
DORA bestows greater power to ESAs over designated Critical ICT Third-Party Providers (CTPPs), allowing them to sanction CTTPs and evaluate and request security practice changes. Its new regulations ensure firms only suspend or terminate contracts with CTPPs in severe circumstances.
Industry forums like the Joint Oversight Forum (JOF) will establish consistency in critical ICT provider oversight.
Firms are encouraged to share threat intelligence, best practices, and mitigation strategies through trusted communities protecting sensitive data. By enabling anonymous information exchange on attacks, vulnerabilities, and responses within legal boundaries, financial institutions can gain valuable insights to enhance detection, response, and collective defense.
As cyber risks rapidly evolve, compliant threat collaboration will be key for understanding the threat landscape and calibrating defenses. Forward-thinking institutions are ramping up participation in industry groups and exploring technologies like threat intelligence platforms to share data securely.
What is the regulation's current status?
The European Commission first drafted DORA — one of the European Union's executive branches responsible for introducing legislation — in September 2020. It was part of a broader digital financial package that involved initiatives to strengthen the EU's overall digital finance strategy and regulate crypto-assets.
In November 2022, the European Parliament and Council of the European Union — the legislative bodies responsible for approving EU laws — formally adopted DORA. Before enforcement starts, financial institutions and third-party ICT service providers must comply with DORA by January 17, 2025.
Despite fully adapting DORA, the European Supervisory Authorities (ESAs) — the regulators that oversee the EU financial system, including the European Insurance and Occupational Pensions Authority (EIOPA), the European Securities and Markets Authority (ESMA), European Banking Authority (EBA) — and they are still ironing out the key details.
Furthermore, the ESAs are responsible for implementing technical standards (ITS) and drafting the regulatory technical standards (RTS) that concerned parties must adhere to. They are expected to finalize these in 2024.
The European Commission is also drafting an oversight framework for critical ICT providers, which should be finalized in the same year.
Upon finalizing the standards and reaching the January 2025 deadline, designated regulators, known as "competent authorities," in each EU member state are responsible for enforcing DORA. They can also ask financial institutions to follow specific security guidelines and mitigate risks.
With each member state practising its regulations, designated regulators impose administrative and criminal fines for non-compliance.
Lead overseers from the ESAs will govern ICT providers with the "critical" category from the European Commission. Like designated regulators, lead overseers can request remediation and security measures and penalize non-compliant ICT providers.
Under DORA, lead overseers can excise fines amounting to one percent of the provider's average daily worldwide turnover in the previous business year, and they might be fined every day for up to six months until their compliance.
Take the next step with 6clicks
The EU's Digital Operational Resilience Act (DORA) introduces extensive new cyber risk, resilience, and third-party oversight requirements for financial institutions. As firms scramble to implement comprehensive programs to comply with DORA, GRC technology will be an invaluable enabler.
Purpose-built cyber GRC platforms like 6clicks can help organizations automate DORA's requirements in an integrated manner.
By providing a centralized platform to operationalize diverse cyber resilience and compliance aspects, 6clicks becomes a force multiplier for holistically managing DORA requirements.
Integrating disparate data sources, automating control monitoring, and synthesizing risk insights enables financial firms to demonstrate compliance readiness to regulators more efficiently. Partnering with 6clicks ensures you have the technology capabilities to comply with DORA.
Sources:
European Insurance and Occupational Pensions Authority. (n.d.). Digital Operational Resilience Act (DORA).
SealPath. Rodríguez, D. (2022, November 29). DORA regulation: Guide to compliance.
PwC United Kingdom. (2022, July 14). DORA and its impact on UK financial entities and ICT service providers.
PwC Malta. (2022, September). DORA: Are you operationally resilient?
centraleyes. (2022, November 17). Understanding the Digital Operational Resilience Act and its pillars.
IBM. (n.d.). Digital Operational Resilience Act.
Skillcast. (2023, January 17). Top 10 compliance challenges for 2024.
Written by Louis Strauss
Louis began his career in Berlin where he also founded Dobbel Berlin – Berlin’s curated search engine. Returning to Melbourne to join KPMG, Louis lead the development of software designed to distribute IP and create a platform for us by advisors and clients. While at KPMG, Louis also co-authored Chasing Digital: A Playbook for the New Economy. Louis is accomplished in stakeholder management, requirements gathering, product testing, refinement and project implementation. Louis also holds a Bachelor of Engineering and a Masters of Information Systems from the University of Melbourne.
