DORA: EU regulation on digital operational resilience of financial institutions

The new EU regulation DORA (Digital Operational Resilience Act) aims to establish a comprehensive framework for the harmonisation of digital resilience processes and standards in the financial sector. The regulation is also intended to strengthen the authority of supervisory authorities and allow for direct oversight. At Deloitte, we help financial institutions prepare for this new regulation and set up all related business processes to be as resilient as possible in the face of digital risks and fully compliant with the new rules.

DORA is the EU’s flagship initiative on digital operational and cyber resilience in the financial services sector. The regulation establishes a single set of regulatory and supervisory rules for the operational resilience of information and communication technologies in the financial sector. Among other things, it requires financial institutions to make significant investments to improve their resilience to digital and cyber risks.

The regulation was published in the Official Journal of the European Union on 27 December 2022 and will enter into force on 16 January 2023. From that date, institutions have 24 months to reflect the new rules in their processes.

Above all, the new obligations will require a change in the approach of the governing bodies - they will be tasked with strengthening the resilience of institutions to the digital threats that will dynamically evolve and minimising the vulnerability of business models. Financial institutions’ governing bodies, ICT risk management and other leaders of financial institutions will play an important role in driving internal change in response to DORA requirements, their implementation and in making the strategic investment decisions necessary to build resilience.

The above requirements apply to traditional financial services entities, financial technology providers as well as external service providers of financial companies.

Why is compliance crucial?

While the use of third parties is beneficial to financial entities, the increasing dependence results in a corresponding increase in operational risk and the potential for mismanagement. Strengthening the operational resilience of the broader financial sector is essential and is a shared concern. In addition, 1% of average daily global turnover can be imposed as a fine for breach of obligations

How Deloitte can help?

Deloitte's experts are ready to support organizations in establishing solid pillars of operational resilience as proposed and required by the DORA.

We offer holistic services that can support your organization from GAP analysis to implementation. We have proven tools and methodologies to help our Clients meet requirements of DORA:

• Risk Management Framework: To meet DORA’s requirements organizations will need to have established and reliable risk management processes. Deloitte will help to align your organization’s business strategies and cyber risks, and to maintain a comprehensive and effective risk management framework.
• Incident Reporting: DORA aims to harmonize incident classification and reporting processes. Early detection of incidents and timely response is crucial. We help our clients to adapt to the new EU reporting rules, align internal reporting processes to optimize resource allocation.
• Resilience Testing: DORA requires financial services to test their systems based on the associated risks. This includes vulnerability scans and penetration tests as well as robust business continuity and disaster recovery testing.

DORA introduces threat-led penetration testing (TLPT) for critical players. Deloitte Central Europe Cyber practice provides best-in-class penetration testing services due to our highly skilled professionals and technological background.

• Threat Intelligence Sharing:  Cyber threat activities often target multiple organizations of the financial industry at the same time. The DORA’s focus on the sharing of threat intelligence will help the entire sector to become more aware and proactive in preparation to the growing number and variety of cyber-attacks. We will assist our clients in developing and integrating a process of threat intelligence sharing to ensure our clients are able to take their part in threat intelligence sharing.
• Third-Party Risk Management (TPRM) and Monitoring: While large firms may already be applying many of the DORA's ICT risk management requirements, all impacted companies should assess whether their response and recovery strategies and plans also respond appropriately to the expanded rules in these areas. Deloitte’s TPRM framework is based on industry leading practices and global regulatory requirements and provides a holistic solution to our clients in managing complexities within third party ecosystems. By implementing TPRM platform our clients will enjoy all the benefits of an end-to-end technology platform that combines mobile data-collection, corporate and unit-level performance improvement tools, and mobile-optimized reporting and visual analytics dashboards.
  
• Select the Right Vendor for a GRC Tool: If our client wants to streamline the process of DORA compliance with the help of a GRC tool, we can assist with the vendor selection process to ensure all the client's needs are addressed.