In the last number of years, we have experienced unprecedented global events that radically changed and challenged organisations and how they operate. To effectively cope with this change and ensure continuity in delivering products and services to clients during a disruption, organisations are required to be proactive, build resilience and move away from legacy disaster recovery strategies that focus mostly on recoverability.
The term “recoverability” is starting to disappear. Recoverability is an organisation’s ability to resume operations with minimal loss from disruption, the trend in business continuity shifted towards “resilience” more than “recoverability”. Resilience is an organisation’s ability to avoid or sustain during disruptions in the first place. While more complex and expensive to implement, resilience (via redundancy or High Availability) should take precedence over creating recoverability.
DORA – The Digital Operational Resilience Act, aiming to make financial organisations and their third parties ”highly available”, entered into force on 16 January 2023, beginning a 24-month implementation period during which entities must implement necessary measures to meet DORA requirements. From 17 January 2025, DORA will apply to a broad range of financial institutions. "Digital operational resilience" is defined in DORA as the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.
We can easily see that DORA aims to create a regulatory framework on digital operational resilience whereby all firms must ensure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states with the core aim to prevent and mitigate cyber threats.
It covers all financial actors from credit institutions to AIFMs, payment institutions, insurance companies and statutory auditors. While the scope of the CBI Guidance on Operational Resilience applies to all regulated financial service providers, the scope of DORA is much broader and as such, a vast range of entities from large and complex organisations to small and simple businesses may be required to comply with this regulation. DORA will apply to a wide range of financial entities, such as:
• Credit institutions
• Payment institutions
• Electronic money institutions
• Insurance companies
• Management companies
• Investment firms
• Crypto-asset service providers
• Central securities depositories
• Third party ICT-related service providers
The Regulation contains a review clause (3 years from now) on whether statutory auditors and audit firms should be included within the scope of DORA.
Technology risks have no borders, and the financial sector deploys its services all around the world. Therefore, DORA does not only concern European entities. Its scope is broader.
Third party ICT-related service providers outside the EU are subject to DORA requirements as soon as they are entering into contractual arrangements with financial entities covered by DORA. Those providers, if designated by DORA as “Critical providers”, have a requirement to set up a subsidiary in the EU within 12 months of the designation if that is not already the case. While there will be no requirements to process data locally in the EU, DORA states that EU supervisory authorities can conduct inspections outside of Union if necessary.
DORA aims to create a regulatory framework on digital operational resilience whereby all firms must ensure they can withstand, respond to, and recover from all types of ICT-related disruptions and threats. DORA is planning to do it by setting out an ICT framework for identifying and managing risks that threaten the organisation's operations.
Key chapters of DORA:
ICT Risk Management:
• Setting-up an ICT risk governance framework aligned with the 3 Lines of Defence model
• Implementing an ICT risk management framework to ensure that ICT risks are identified and managed in a prompt and effective manner
• Applying the principle of proportionality, by taking into account the size, the nature, scale and complexity of services, activities and operations, etc
Incident Reporting
• Tackling the issues caused by proliferation of ICT incident reporting requirements
• Opening the door for the establishment of a single EU-hub for major ICT- related incident reporting by the financial institutions
Digital Operational Resilience Testing
• ESAs to develop standards and procedures for the mutual recognition of tests across EU Member States
• Increase in the number of firms in scope to conduct mandatory and regular testing (“significant and cyber mature financial entities”)
ICT Third-party Risk
• The contracts that govern that relationship will be required to contain a minimum set of information
• Critical ICT third-party service providers will be monitored at Pan-European scale
DORA contains the future architecture of the technical digital requirements needed to support the widespread arrival of technologies such as blockchain, digital assets, and the increased use of data. The proposal for DORA, included in the Digital Finance Package, is the first piece of legislation at the European level addressing the topic of digital operational resilience for financial services.
DORA enables an organisation to set out the approach to make its critical technology infrastructure elements supporting the essential business outcomes more resilient and recover faster when required recovery of its critical technology. Establishing, implementing and improving a resilience approach will cultivate a resilient organisational culture, ensure the protection of business reputation, minimise financial risk during disruption, protect valuable business data and provide a competitive advantage.
Instead of considering DORA as another piece of legislation, organisations should understand the value it brings. Today, operational resilience is crucial to survival for any organisation. It is vital even for entities which would not have an enormous impact, such as online retailers, social media platforms, etc. At the same time, any entity that might have a significant impact on people, such as Banks, Energy Companies, Logistics etc. Regardless of the size or the service provided, downtime means loss of money, loss of reputation, therefore, loss of trust in any sector.
Deloitte can support you on your DORA compliance journey, by assessing your current readiness and proposing measures to meet the regulatory requirements while customising the remediation plan to your specific environment. We have the specialist skillset and experience to support organisations in implementing the frameworks, processes and controls, and frameworks to comply with DORA. Deloitte can help you improve your current capabilities and prepare your organisation to comply fully with DORA.