The Digital Operational Resilience Act (dora) Is on the Way, but What Does That Mean for Businesses?

By Angus Panton, Business Unit Director, Expleo

Resilience and the ability to maintain continuous service in the face of multiple threats and challenges is a major theme for financial institutions in 2022.For digital-first organisations, this means putting a proactive risk mitigation strategy in place to avoid customer service interruptions, enabling faster recovery from outages, and ensuring preparedness for potential vulnerabilities – and being compliant with evolving regulation.

The security threats faced by financial institutions are well-documented with mitigation being part of maintaining daily operational integrity, so it comes as no surprise when we see research that show financial services is the most targeted industry by cyber criminals (Kroll, Q3 2021) accounting for almost 13% of all cyberattacks, including email phishing scams and ransomware.

Many in the industry say enough is enough – the risks are too high and the impact is too far reaching for us not to act, and this means new legislation. In response, the European Commission has proposed the Digital Operational Resilience Act (DORA), which aims to streamline and mitigate risks associated with digital transformation across financial institutions in the EU. Expected to become law in 2024, the act proposes a unified approach to reforming the regulatory framework across financial enterprises in the EU. And while DORA is not directly applicable to the UK, there is good reason for UK financial entities to be aware as it has the potential to shape outsourcing and third-party risk regulation for engaging with entities inside the EU. Global and international organisations that work across borders will need to meet the requirements of each jurisdiction.

The Act itself is complex, multi-faceted and the details are still being refined. As a result, many financial institutions are struggling to understand its various implications, including its potential to provide a harmonised approach towards better management of the various risks associated with ICT, and particularly critical third-party ICT suppliers.

To prepare for the new regulatory framework, we advise businesses adopt a five-point approach to help them identify current operational deficiencies and develop a compliance strategy to navigate this new ground.

1. Build your digital operational resilience awareness

Invest time and resource into understanding the implications of the legislation ahead of it coming into EU law. This includes figuring out the scope of work required, allocating resources and identifying the opportunities that come with enhanced DOR.

An effective way for your organisation to ensure it meets the requirements of the Act is to perform a gap analysis against the requirements of the regulation, and as part of this complete a risk assessment for your organisation to discover the gaps in your compliance.

1. Train and coach your people

To get ahead of DOR you need to take your people with you – make sure you cover training and bring them up to speed with the changing requirements and demands that come with increasing digital transformation.

To help you with this, we’d recommend seeking the support of training and coaching programs offered by industry and regulatory experts to ensure employees understand new incident classification standards, terminology and acronyms related to DORA, and its implications for your business.

And it can be highly beneficial to look at enhanced training support for those people who are directly involved in shouldering the responsibility for testing and monitoring adherence to the new regulations. This will help ensure they are able to spot weaknesses in the system that have the potential to impact operational resilience.

1. Vet your third-party providers

As many financial institutions rely on the capabilities of third-party vendors to support their overall offering, it’s time to re-evaluate your relationships with these service providers. We recommend you start by reviewing their technical acumen, industry standing and the selection of tools they have at their disposal to facilitate regulatory-compliant DOR.

Look at it this way – as we become increasingly reliant on external IT providers to support the management of our business processes and customer data, we see a correlated increase in susceptibility to various forms of cyberattacks, including identity theft and ransomware. So, paying attention to your third parties and their preparedness for DORA is key to overall resilience.

1. Set up robust testing procedures

As DORA is set to mandate technical testing, it’s important to look at establishing strong measures and controls on systems, tools, and people to ensure that they can endure these procedures.

Work with you organisation to establish comprehensive testing programmes that examine the security and integrity of your system architecture. Such a programme will give your people a better understanding of how to avoid or respond to threats and incidents in the future. Consider also clearly defining your team’s responsibilities and timelines in relation to any such testing programme

1. Establish a reporting mechanism

Reporting plays a crucial role in tracking the progress of any digital transformation project and this remains true for financial institutions who are planning a DORA compliance strategy.

Developing best-in-class reporting frameworks will enable you to tighten up communications around incidents. And by establishing compulsory and standardised reporting for all major incidents, you gain greater control over the management of new internal reporting processes, which will help to minimise disruption to operations.

While the road to preparing for DORA may seem complex, with a better understanding of various ICT risk management issues and the right guidance from experts, we believe financial institutions can successfully navigate this legislative change and be in an enhanced position to provide customers with continuous, high availability service.