Enhancing Digital Resilience is of Utmost Importance - The Demands of DORA in Risk Management Regard
The Digital Operational Resilience Act (DORA), effective from 17th January 2025, is set to transform the European Union's regulatory landscape by introducing a harmonised framework for enhancing the operational resilience of the financial sector. This new legislation aims to strengthen ICT security and risk management across financial institutions and their ICT service providers.
DORA mandates a systematic approach to ICT risk management, with key requirements for leadership, risk management, incident management, resilience testing, third-party risk management, governance, and collaboration.
1. **ICT Risk Management Framework**: Financial entities must define, approve, and implement a holistic ICT risk framework. This includes a digital operational resilience strategy addressing how ICT and cyber risks are identified, managed, and mitigated. Regular risk assessments and continuous threat monitoring are mandatory.
2. **Incident Management and Reporting**: Financial institutions must establish an incident management process that ensures timely detection, classification, and reporting of major ICT incidents within strict deadlines to relevant authorities.
3. **Digital Operational Resilience Testing**: Entities are required to implement regular and comprehensive resilience testing programs, including advanced testing like threat-led penetration testing, to verify their ability to withstand, respond, and recover from ICT disruptions.
4. **Third-Party ICT Risk Management**: Managing risks from ICT third-party providers is critical. Entities must maintain robust contractual agreements ensuring service providers comply with resilience and security standards. An oversight framework for critical ICT third-party providers (CTTP) involves designation criteria and a lead overseer to monitor compliance and risk management.
5. **Governance and Accountability**: Senior leadership and governance bodies bear responsibility to oversee ICT risk management, approve resilience strategies, monitor compliance, and ensure resources for digital operational resilience.
6. **Information Sharing and Collaboration**: Frameworks for sharing cyber threat information among financial entities and authorities are promoted to enhance collective defence capabilities.
Josefine Spengler, from Annerton, emphasises the importance of a structured approach to DORA implementation in episode 3 of the "All Legal - Fintech Law Compact" podcast series. Dana Wondra, the Senior Manager Marketing at Payment & Banking since August 2023 and currently employed by GOLT Coaching, is the author of the news article about this podcast series.
Implementing DORA requires a consistent overview and a living approach to risks, rather than just meeting compliance requirements. Companies can meet DORA requirements through uniform templates, clear processes, and defined responsibilities. Smaller institutions can implement DORA pragmatically through simplified frameworks or targeted outsourcing.
Under DORA, digital resilience is considered a leadership task, with management bearing the central authority for ICT risk management. Regular training in the area of IT risks is mandatory for management under DORA. DORA goes beyond traditional IT risk management, focusing on active management and resilience.
In summary, DORA aims to ensure financial institutions can robustly manage ICT risks and remain operationally resilient in the face of cyber and ICT disruptions. Implementing these measures in a structured way involves embedding them into corporate governance, operational processes, and contracts, supported by regular review and improvement cycles.
- In order to adhere to the Digital Operational Resilience Act (DORA), financial businesses are expected to establish robust ICT risk management frameworks, which encompass definitions, approvals, and implementations of holistic digital operational resilience strategies focusing on cyber risks.
- Capitalizing on technology, financial institutions need to develop incident management processes that efficiently detect, classify, and report major ICT incidents to relevant authorities within strict deadlines, highlighting the critical role of technology in finance.
