With the deadline for the European Union’s Digital Operational Resilience Act (DORA) less than a year away, financial entities and service providers need to begin acting to reach compliance. Learn the steps organizations should take to prepare now and discover how the new DORA regulations will strengthen digital operational resilience.
Financial institutions’ reliance on information and communication technologies (ICT) for core operations brings immense opportunities in today’s digital world but also exposes banks, investment firms, insurers, and other financial entities to significant cyber threats and operational risks. To address these growing vulnerabilities, the EU has enacted DORA.
The DORA regulations are expected to significantly enhance the digital resiliency of the EU’s financial sector and foster greater stability, consumer protection, and trust. Financial institutions and authorities are working toward meeting the implementation deadline of January 17, 2025. Let’s explore this further.
DORA addresses two critical concerns:
- Rising cyber threats: DORA mandates robust cybersecurity measures to protect financial systems from increasingly sophisticated and frequent cyberattacks that steal sensitive data, disrupt operations, and erode trust
- Potential financial instability: DORA aims to prevent ICT incidents from cascading through the financial system, jeopardizing its stability and impacting consumers and businesses. The regulations ensure financial institutions can withstand, respond to, and recover from ICT-related incidents
Who will be impacted by DORA regulations?
DORA will impact all financial institutions and ICT third-party service providers. This includes banks and credit institutions, investment firms, trading platforms, and providers delivering critical services like cloud computing, data centers, credit ratings, and data analytics. It applies to over 22,000 financial entities in the EU and ICT infrastructure support outside the EU.
DORA framework
DORA establishes a comprehensive framework for managing digital operational resilience across the financial sector. Some key provisions include:
- Enhanced ICT risk management: Financial institutions must implement robust ICT risk management practices, including threat identification, vulnerability assessments, and incident response plans
- Mandatory incident reporting: Major ICT-related incidents and significant cyber threats must be reported to authorities, enabling faster response and improved threat intelligence sharing
- Regular digital operational resilience testing: Financial institutions must conduct regular ICT systems testing to identify and address vulnerabilities
- Strict oversight of ICT third-party providers: Financial institutions are accountable for the resilience of their third-party ICT service providers, with DORA outlining clear oversight and risk management requirements
DORA requires third-party providers to maintain robust cybersecurity measures and operational resilience capabilities to mitigate risks from potential vulnerabilities and disruptions. Moreover, financial institutions must ensure their current and future contracts with providers are compliant.
DORA focuses on five strategic pillars centered around data: risk management, third-party risk management, incident reporting, information sharing, and digital operational resilience testing. However, financial institutions still have many technology legacy systems that could create obstacles to data management.
How can financial institutions comply with DORA regulations?
Immediate next steps financial institutions should take to prepare for the January 2025 deadline include:
- Conduct a gap analysis and develop an operational resilience framework, business continuity plans, and governance policies
- Assess risks with third-party providers in the sourcing portfolio and review existing contracts that may be at risk of termination by authorities
- Ensure risk and compliance leaders are represented on management boards, as the board will have full accountability for ICT risk management
- Establish systems for managing, logging, and reporting ICT incidents to regulators
How can providers help financial institutions achieve compliance?
By leveraging their deep understanding of enterprise technology footprints, providers should proactively assist enterprises in meeting the regulatory deadline. We recommend providers take the following actions:
- Develop a perspective on how DORA will impact financial institutions to ease clients’ worries and gain mindshare with new customers
- Identify accounts needing support to determine current and future states, business continuity plans, risk management frameworks, etc.
- Evaluate incumbency status and competitive landscape threats. Acknowledge financial institutions will need to reduce their reliance on a single or small group of providers and have open discussions with clients to ensure transparency and collaboration
- Develop effective rules, procedures, mechanisms, and arrangements to manage ICT risks to financial entities
- Review contracts and proactively identify clauses needing changes to incorporate DORA compliance
- Prepare to undergo threat-led penetration testing with financial institutions if deemed critical by regulators
In the near term, we foresee the banking, financial services, and insurance (BFSI) industry in the EU being impacted in the following ways:
- Spiked demand for security services as financial institutions run security services maturity assessments to review the current state of DORA compliance
- Revamped sourcing portfolios as financial institutions assess concentration risk of functions deemed critical under DORA
- Increased demand for a qualified talent pool to conduct vulnerability assessments, performance testing, penetration testing, etc.
With the deadline fast approaching, enterprises and providers cannot afford to wait for the regulatory process to conclude and must begin to take these recommended steps to reach compliance by 2025.
To learn more about the Digital Operational Resilience Act and how to achieve compliance with the DORA regulations, contact Kriti Gupta, [email protected], Pranati Dave, [email protected], and Laqshay Gupta, [email protected].
To learn about Global Services Lessons Learned in 2023 and Top Trends to Know for 2024, don’t miss this webinar.