Harmonising digital operational resilience throughout the EU’s financial sector.

Digital Operational Resilience Act (DORA)

DORA

The Digital Operation Resilience Act (DORA) was enacted on 16 January 2023. With an implementation period of two years, financial entities must comply with the regulation by 17 January 2025. DORA aims to establish a comprehensive and cross-sectoral digital operational resilience framework with rules for all regulated financial institutions. DORA will apply to more than 22,000 financial entities, and they will have to adhere to strict standards to prevent and limit the impact of ICT-related risks.

What is digital operational resilience?

DORA introduces a five-pillar framework of ICT risk management; incident reporting;  digital operational resilience testing; third-party risk management; and information sharing. Through this digital operations framework, DORA will help firms ensure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.

ICT risk management

Under DORA, the management body is responsible for defining, approving and implementing a comprehensive ICT risk management framework. The framework should include a digital operational resilience strategy and the methods used to manage ICT and cyber risk and meet objectives by:

  • explaining how the framework supports the business strategy and its objectives;
  • establishing the tolerance level for ICT risk and analysing the impact of ICT disruptions;
  • setting out clear information regarding security objectives;
  • outlining the different mechanisms in place to detect, protect and prevent the impacts of ICT-related incidents;
  • defining a holistic ICT multi-vendor strategy at the entity level, highlighting key dependencies on ICT third-party service providers and explaining the rationale behind the mix of third-party service providers; and
  • reviewing the ICT risk management of third parties as it relates to the services provided.

ICT and cyber-related incident management

DORA requires financial entities to have an ICT-related incident management process that:

  • establishes procedures to identify, track, log, categorise and classify ICT-related incidents according to the priority, severity and criticality of services impacted;
  • assigns roles and responsibilities that need to be activated for different ICT- related incident types and scenarios;
  • sets out plans for communication to staff, external stakeholders and media, and for notifications to clients and counterparts as appropriate;
  • ensures that major ICT-related incidents are reported to relevant senior management and that the management body is informed of major ICT-related incidents, explaining the impact, response and additional controls to be established as a result of ICT-related incidents; and
  • establishes ICT-related incident response procedures to mitigate the impacts and ensure that services become operational and secure in a timely manner.

Digital operational resilience testing

DORA requires all entities to implement a sound and comprehensive digital operational resilience testing programme. It should:

  • take a risk-based approach, accounting for the evolving landscape of ICT and cyber risks, any specific threats to which the financial entity is — or might be — exposed, the criticality of information assets and services provided and so on;
  • ensure that tests are undertaken by independent parties (internal or external);
  • identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps; and
  • ensure that all critical tools and applications are tested at least annually.
  • Threat-led penetration testing is explicitly required by DORA, which includes requirements for the entity that extend to ICT/critical third-party service providers. The competent authorities must validate the scope of this testing.

ICT third-party risk management

DORA requires financial entities to manage ICT third-party risk as an integral component within their ICT risk management framework and in accordance with the principles defined. These principles include the following:

  • The principle of proportionality when managing risk, taking into account the scale, complexity and importance of ICT-related dependencies; and the risks arising from contractual arrangements, taking into account the criticality or importance of the respective service, process or function, and the potential impact on the continuity and quality of financial services and activities at individual and group levels;
  • Adopt an ICT third-party risk strategy and review it regularly; and
  • The principle that financial entities shall maintain and update at the entity, sub-consolidated and consolidated levels a register of information concerning all contractual arrangements with ICT third-party service providers.

Critical third-party providers

DORA introduces an oversight framework for critical ICT third-party providers (CTTP), outlining specific criteria for designating a third-party as critical. CTPPs will be charged a fee to cover oversight costs. The oversight framework includes the provision of a ‘lead overseer’ for each CTPP, who will have the power to:

  • conduct general investigations and inspections and request documentation;
  • request reports after the completion of oversight activities specifying the remediation actions taken;
  • address recommendations towards ICT CTPPs on, for example, the use of conditions and terms to minimise possible systemic impact;
  • impose a periodic penalty payment  to compel the CTPP to comply (a daily penalty of 1% of the prior year’s turnover for a maximum of six months); and
  • request the termination of contractual arrangements with relevant firms if a CTTP opposes an inspection.

Information-sharing

DORA encourages financial entities to exchange among themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing enhances the digital operational resilience of financial entities and is implemented through arrangements that protect the potentially sensitive nature of the information shared. The information-sharing arrangements should also define the conditions for participation, and financial entities must notify the competent authorities of their involvement in such information-sharing arrangements.

Technical standards

In the months ahead, the European Supervisory Authorities (ESAs), through the Joint Committee, will develop common draft regulatory technical standards in relation to:

  • Incident management: reporting content for major ICT-related incidents and conditions under which an entity can delegate, on receipt of approval, reporting obligations to a service provider.
  • Digital operational resilience: criteria for testing all critical applications at least yearly and requirements concerning the scope of threat-led penetration testing, testing methodology, approach, results, remediation and closure.
  • Third-party risk management: details on the content for policies in relation to contractual arrangements and the types of information to be included in the register of information.

Helping you prepare for DORA

Our IT risk and Cyber experts can assist with all aspects of DORA compliance, from current state assessments and gap analyses to implementing processes and controls and achieving compliance. Our dedicated project management experts can also ensure that your plans are clear, concise and tracked to completion.

Readiness assessments

The first step to compliance is a current state assessment and gap analysis to understand the level of maturity of ICT and cyber risk management and identify gaps in compliance with the regulation. In many cases, organisations will be leveraging—or have implemented—existing frameworks or guidelines such as NIS2 or the EBA’s Guidelines on Operational Resilience and Cross-Industry Guidance on Outsourcing, which provide a starting point for compliance. However, DORA is more prescriptive than the existing operational resilience and cybersecurity guidelines. So, while these will be a useful starting point, they will not guarantee compliance with DORA.

Implementation plans

A detailed implementation plan must be developed once the readiness assessment and gap analysis have been completed. It should provide clear direction on how compliance with DORA can be achieved by January 2025. This plan should be granular, have clear objectives and defined responsibilities, and be time-bound to ensure compliance by January 2025. Given the broad scope and nature of the regulation, the implementation plan will likely consist of changes or enhancements to existing policies, processes and documentation, as well as the development of new ones.

Project implementation

With a potentially wide-ranging plan to implement alongside other projects and business-as-usual activities, having a dedicated and experienced team focused on achieving compliance with DORA would benefit many organisations. Each workstream in the plan should have clearly defined deliverables, action owners and milestones, and these should be monitored closely to ensure successful delivery against the project’s timelines. Having worked with organisations of all sizes, we have seen examples of best practices and common pitfalls. As a result, we can bring hugely valuable insights to your organisation to deliver the plan and achieve compliance.

Digital Operational Resilience Act (DORA)

Follow PwC Ireland

Contact us

Moira Cronin

Moira Cronin

Partner, PwC Ireland (Republic of)

Tel: +353 86 377 1587

Pat Moran

Pat Moran

Partner, PwC Ireland (Republic of)

Richard Day

Richard Day

Partner, PwC Ireland (Republic of)

Neil Redmond

Neil Redmond

Director, PwC Ireland (Republic of)

Tel: +353 87 970 7107

Hide