Understanding the impact and future of the DORA regulation

The European Supervisory Authorities (ESAs) published the final texts of the DORA (Digital Operational Resilience Act) regulation in July. These definitive texts will come into effect in January 2025, enhancing digital operational resilience and IT risk management for all financial entities.

Key takeaways from the final DORA regulation texts

In July, the European Supervisory Authorities (ESAs) released the final batch of supplementary texts to clarify aspects of the DORA (Digital Operational Resilience Act) regulation. These texts were first subject to public consultation and are now final, set to take effect early next year.

The final body of texts includes the following elements:

New DORA RTS regulations

It should be noted that the RTS concerning the harmonisation of supervision (pillar 5) has finally been released in its final version as two separate RTSs specifying the intervention modalities and the composition of the supervisory teams.

DORA’s main challenge is defining a convergent vision for IT risk management, operational resilience, and cyber resilience.

DORA requires a holistic and cross-cutting vision beyond business continuity to achieve digital operational resilience.

This involves defining a comprehensive operational resilience strategy for the organisation and the Group, if applicable, based on a defined and formalised risk appetite. This strategy must be reflected in a digital operational resilience policy. Various elements may already exist within the framework of risk management and/or security policies and procedures, but they need to be aligned to fully reflect this overall strategy.

Our experience with current major projects

Strengthening IT risk management and fully integrating it into the overall risk management strategy (pillar 1)

To achieve this cross-cutting vision of digital operational resilience, stakeholders must develop a precise mapping of their business processes and the information systems that support them. This mapping facilitates the identification of weaknesses and, more importantly, critical interdependencies.

It then allows for the formalisation of a global IT risk profile integrated into the risk management framework. This profile must be monitored and kept up to date to reflect changes in threats and the characteristics of the internal control system.

Enhancing the incident management process in stages (pillar 2)

The incident reporting and classification system is already largely established among stakeholders. However, beyond the incident qualification processes, it is necessary to strengthen the communication of these incidents to external stakeholders—particularly supervisors and clients—by defining a clear, detailed communication plan to ensure rapid and effective incident notification.

Implementing automatic detection tools to reduce the manual detection of incidents is recommended to strengthen this process.

Finalising resilience strategies and strengthening tests (pillar 3)

Stakeholders already largely have resilience tests in place.

However, an actual resilience testing strategy based on the organisation’s risk analysis is necessary. This strategy should include regular and comprehensive testing scenarios that simulate various disruptions, ensuring that the organisation can respond effectively to various potential incidents.

Strengthening the management of critical ICT service providers (pillar 4)

It involves defining the list of critical ICT providers based on objective and formalised criteria and collecting additional information, particularly regarding the risks they may pose to the organisation’s resilience strategy.

This includes considering a concentration risk related to third-party ICT service providers by developing a multi-supplier strategy and exit strategies that consider personal data recovery.

Some of this information is necessary to properly maintain the future information register, which will be harmonised for all organisations.

This will require a comprehensive review of these providers’ contractual clauses. Additionally, regular and systematic supplier audits are essential to ensure compliance with security and operational resilience standards.

DORA regulation provides some application simplifications for microenterprises

It should be noted that microenterprises’ risk management framework review is less frequent than for other financial entities. They must also maintain redundant ICT capacities based on their risk profile. The ESAs will take this profile into account and the specific characteristics of the companies to assess their ability to mobilise resources in the event of an incident. Finally, the regime is more flexible regarding the digital operational resilience tests to be carried out, which will align with these same profiles.

Insurance intermediaries are subject to the DORA regulation just like insurers

As expected, the DORA regulation applies to financial sector entities (credit institutions, insurance and reinsurance companies, etc.) but also to insurance and reinsurance intermediaries – provided they are not small or medium-sized enterprises or microenterprises, and finally, all ICT service providers (cf. article 2).

While cyber, IT, and supplier management strategies are largely in place at financial organisations today, the DORA regulation aims to strengthen them and create a concurrent vision of digital operational resilience for all financial actors.

Implementing DORA represents a significant step in ensuring financial entities are better prepared to handle digital disruptions. By fostering a culture of resilience and proactive risk management, DORA enhances the stability of individual organisations and contributes to the overall stability of the financial system.

As the January 2025 implementation date approaches, financial entities must prioritise aligning their existing policies and procedures with the new DORA requirements, thoroughly reviewing current practices, identifying gaps, and making necessary adjustments to ensure compliance.

Moreover, the emphasis on a holistic and integrated approach to risk management underscores the importance of collaboration across different departments within an organisation. IT, risk management, compliance, and business continuity teams must work together to develop and implement a cohesive strategy addressing all aspects of digital operational resilience.

In conclusion, the DORA regulation is a comprehensive framework designed to enhance the digital resilience of financial entities. By requiring a holistic approach to risk management and operational resilience, DORA ensures that organisations are better equipped to navigate the complexities of the digital landscape. As financial entities prepare for the upcoming changes, the focus should be on building a robust and adaptable resilience strategy that can withstand the evolving threats and challenges of the digital age.