The European Union’s Digital Operational Resilience Act (DORA) is a landmark regulation within European markets to harmonise and strengthen operational resilience against Information and Communication Technology (ICT) risks. This was in response to the increasing threat of ICT disruptions and is intended to protect the digital integrity of the EU’s financial markets. DORA creates a consistent rulebook that demands operational resilience be elevated to a strategic, board-level responsibility.
The Five Pillars of the DORA Framework
DORA’s core requirements are structured around five pillars:
- ICT risk management
- ICT-related incident reporting
- Digital operational resilience testing
- Managing third-party ICT risk
- Information sharing
Firms have unique responsibilities for each of these pillars, and together they form the framework for managing digital operational risk:
ICT Risk Management
DORA mandates that firms move beyond simple, reactive compliance and instead implement a comprehensive ICT risk management framework. This level of integration demands board-level engagement and supervision, and DORA expectations require board-level ownership of the firm’s ICT strategy. Thorough ICT risk management involves identifying, classifying and mitigating ICT-related risks, as well as adopting a proactive approach to risk management in general and ensuring firm-wide awareness of ICT-related risks.
ICT-Related Incident Reporting
DORA introduces a standardised process for incident reporting. All major ICT-related incidents must now be escalated and shared with the relevant National Competent Authorities (NCAs). Firms must implement the necessary frameworks and security systems to identify these incidents. Through a culture of transparency, general anonymous threat intelligence may then be shared with the wider market by NCAs, allowing all firms the opportunity to respond effectively to emerging threats.
Digital Operational Resilience Testing
Firms must regularly test the resilience of their ICT systems to prepare for potential threats through scenario testing and simulations. Advanced Threat-Led Penetration Testing (TLPT) can be used to understand the effects of large-scale cyber attacks by simulating the tactics of cyber criminals. The goal of scenario testing is to proactively identify any security gaps and assign clear responsibility to firms to report these gaps and remediate any identified weaknesses.
Managing Third-Party ICT Risk
DORA places particular emphasis on the management of third-party risks, requiring enhanced oversight of third-party providers. Firms are held accountable for the third-party vendors that they use and are now expected to conduct rigorous due diligence requirements and include specific resilience measures in all contracts. Third parties will be expected to maintain consistent standards of security and demonstrate robust and diligent standards across their entire supply chain. This pillar is particularly important for cloud-based services due to the heavy reliance on a few cloud service providers, which also creates concentration risk for European financial markets.
Information Sharing
Cyber threats and digital operational resilience intelligence must be communicated and shared among financial entities under the DORA framework. This collaboration between competitive firms encourages collective participation in mitigating market risk. By building a collective pool of data to be shared with market participants and regulators, firms can contribute to strengthening the resilience of the sector and reducing systemic risk.
What are the Key Implementation Challenges for Financial Firms?
While DORA provides a clear framework for digital operational resilience, implementation of these initiatives can present several key challenges for firms. One of the most apparent difficulties is the cultural shift required to manage compliance proactively and in a centralised way. Firms will need to adopt a new mindset that moves beyond the traditional, siloed, reactive approaches to compliance and instead considers compliance as the responsibility of everyone in the firm. There are also internal technological and resource considerations, as firms will need to implement new digital systems capable of managing scenario testing and enhanced risk management measures. This implementation or upgrade of key systems will involve significant upfront investment as well as an overhaul of outdated legacy systems. Firms may also need to source expertise and capabilities from third-party providers, which brings additional third-party risks that must be identified and documented. DORA mandates that firms demonstrate their compliance with these regulations through comprehensive documentation, clear governance and robust processes. Firms that adopt a proactive approach to compliance through data-driven insights and evidence-based reporting will be able to demonstrate adherence to regulators. In doing so, firms will also build digital operational resilience capable of withstanding severe real-world disruptions. Digital operational resilience is now of critical importance as compliance has become a proactive exercise demanding board-level accountability. Firms are required to undertake several changes to comply with new requirements, including the upgrade of legacy software and systems and the enhanced responsibility for the third-party services that they use.
DORA is live — is your firm audit-ready? Get in touch with Novatus Global to validate your ICT risk controls, third-party oversight and reporting protocols.
