DORA – Digital Operational Resilience Act

The Digital Operational Resilience Act (DORA) is a newly implemented EU regulation, effective from January 2023. This regulation is a crucial component of the EU Commission's digital financial package, aimed at enhancing the digital resilience of the European financial market. Its primary objective is to ensure that financial market participants can maintain safe and reliable operations, even in the face of significant disruptions in information and communication technology (ICT).

Companies affected by this regulation have been granted a transition period until January 2025 to achieve full compliance.

DORA places significant emphasis on responsibility of the management body for ensuring digital operational resilience. Management must guarantee adequate protection against ICT disruptions and cyber-attacks.

DORA envisions a comprehensive ICT risk management framework as essential for building resilient financial firms. This framework enables the identification, assessment, management, and monitoring of ICT risks. One example of DORA implementation is the establishment of resilient ICT systems adhering to a consistent standard in the European Economic Area.

DORA specifies contract requirements with third-party ICT providers that must be incorporated into the contract management of financial institutions. Implementing DORA requires categorizing existing contracts, establishing target requirements, conducting gap analyses, and addressing potential gaps. Furthermore, DORA alters the responsibility and liability risks of companies and executives regarding third-party ICT risks, requiring a review and potential adjustment of insurance coverage.

DORA aims to standardize reporting obligations for serious ICT incidents across the European financial industry. The goal is to enhance responses to these incidents and ensure effective cooperation between national and European authorities. Implementation includes the introduction of uniform procedures for monitoring, classifying, and reporting ICT incidents to relevant authorities.

Regular testing of the operational stability and security of critical ICT systems is essential for the seamless functioning of financial businesses. A risk-based testing approach is required to detect and address potential ICT disruptions. An example of implementation is conducting penetration tests on live production systems at least every three years to identify vulnerabilities and counter potential attack vectors.

DORA facilitates effective monitoring of risks posed by third-party ICT providers, which is crucial as financial firms increasingly rely on these services for their IT systems and processes. Implementation includes penalties and termination options for non-compliant third-party ICT providers, ensuring robust risk monitoring by financial firms

Financial organizations must ensure that their ICT systems and processes can swiftly and effectively detect and respond to potential threats. DORA specifies requirements for processes and systems to promptly detect and defend against such threats. An example of implementation is automatic network isolation during cyber-attacks, minimizing data loss and system failure while expediting the restoration of normal operations.

The introduction of DORA may pose challenges for financial firms, requiring updates to ICT systems, process optimization, and employee training to meet the new requirements.

We have knowledge and experience in a wide range of fields relevant to DORA, such as management consulting, information security management (ISMS), information risk management (IRM), continuity management (BCM), technical security testing, outsourcing, and cloud solutions. Our specialized consulting services can cover the most diverse aspects of all of these areas while benefiting from a thorough understanding of processes, risks, and governance structures.

As a global organization, we have access to experts and know-how from all over the world, and, by working with international teams, we can create custom digital solutions for the financial sector that truly meet its needs. In addition, our experts bring clients tools for effective risk management and control management, including the coordination of suppliers and their ICT contracts.