DORA: Moving into a new era of digital resilience

The EU’s Digital Operational Resilience Act will come into force in just over a year, the majority of risk management professionals are only at the beginning of their planning journey. Kate Needham-Bennett of Fusion Risk Management explains how to get things moving

Kate Needham-Bennett

Published: 19 Oct 2023

Operational resilience is the discipline that is taking organisations beyond an internally-focused business continuity or information technology disaster recovery (ITDR) programme to look at the wider impact of disruption to services through an external-facing lens. Properly defined, operational resilience is the “ability of firms, [financial] market infrastructures, and the [financial] sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption.”

Regulations such as the Digital Operational Resilience Act (DORA) have taken the complementary step of regulating operational resilience across not just financial services institutions in the European Union (EU) but associated information and communication technology (ICT) and third-party providers as well. With the globalisation of the financial services industry though, external organisations that are providing financial services within the EU or as a critical third-party service provider are forced to reconsider their resiliency efforts.

Whether we look at DORA or other recent resilience regulations, there are common requirements between them; to be efficient, this will necessitate a unified or holistic interdepartmental approach. Whether a regulated organisation or not though, these methods and practices are being seen as examples of operational excellence, which could benefit all. Being able to see the connections across your operating model and understand where there are vulnerabilities helps to ensure the continuity of the service delivery or money-making sides of your enterprise.

A framework for achieving digital resiliency

DORA officially entered into force in January 2023 and will apply from January 2025, following rounds of public consultation and the introduction of regulatory technical standards (RTSs) and implementing technical standards (ITSs) from January 2024. With the implementation period well underway, the clock is ticking for organisations to prioritise compliance efforts in order to avoid regulatory and financial consequences.

DORA was developed to strengthen compliance efforts and amalgamate a plethora of existing regulations from across the EU into one cohesive act. As such, some of the requirements are already being adhered to as part of regular compliance programmes, e.g. the EBA (European Banking Authority) Guidelines on Outsourcing Arrangements or on ICT and Security Risk Management.

However, financial supervisory authorities will now be empowered to monitor and audit financial entities more closely, introducing a uniform incident reporting mechanism with the goal of ensuring financial stability, protecting consumers, and increasing knowledge sharing across EU member states.

Approaching compliance with DORA

Many organisations struggle with where to start when it comes to addressing transformative resiliency efforts. The best first step to take is to establish a holistic understanding of your organisation’s resilience posture. Assessing your organisation’s functions, interdependencies, and risks will provide you with a baseline, from which you can conduct a gap analysis against the regulatory requirements to see where you are already compliant due to existing regional legislation or where further action is required.

In all aspects though, DORA and the European supervisory authorities (ESAs), during the public consultation sessions on the draft technical standards (that were released in June 2023), have explicitly provided for a proportional approach. Organisations should consider their size and risk profile as well as the nature, scale, and complexity of their services and then plan accordingly before diving in. Whilst DORA is a lot more prescriptive than previous regulations, aspects of it may already be being addressed by resilience, risk, cyber, or third-party teams; this is simply the opportunity to break down those siloes and bring all of their efforts together.

Five action areas to start

Categorise and map critical or important functions (CIFs): Establishing business process maps and interdependencies is the first step to understanding how your organisation works. You must map which departments, process owners, and third parties contribute to the continuous delivery of critical functions to understand how they may be threatened.
Identify gaps in your ICT risk management policies and procedures: Understand where there are any gaps in your network security, data encryption, access controls, security training, maintenance and load testing, etc. and begin to plan out measures to address them. In the meantime, ensure that there are adequate preventative procedures and control measures in place to minimise any impact due to non-compliance.
Inspect your incident reporting framework: Most organisations will already have measures in place to prevent (where possible) and then manage ICT incidents as well as have logs of events; however, many will need to look at building out their analysis mechanisms to ensure that lessons are learnt and remedied as well as look at how they are using the data being monitored across disciplines to develop early warning systems.
Begin collating your register of all ICT-related outsourcing: Your organisation will likely already have a material outsourcing policy in place and conduct additional due diligence on tier one vendors. However, you may need to adapt this policy to address the use of ICT services that support CIFs as well as develop a methodology for determining which ICT services come in scope and should be included in the audit plan.
Examine your resilience testing programme: It will no longer be enough to simply conduct an annual business continuity plan walkthrough, CMT desktop exercise, and ITDR failover. Operational resilience policies already require organisations to take a more stringent, evidence-based approach across a wide range of severe but plausible scenarios for their important business services. DORA expands on this, requiring organisations above a certain threshold to conduct “advanced” threat-led penetration testing (TLPT) every three years, in line with the TIBER testing being already conducted by some organisations.

Challenges for implementation

One of the largest compliance obstacles for DORA is information or departmental silos within an organisation. Adherence to the act will take a collaborative approach between cyber, security, resilience, third-party, and risk teams to all work off of the same data sources and share results and lessons learnt from their work with one another.

It’s easy to get caught up in the whirlwind of departmental demands, but it’s important not to lose sight of developments to DORA, with the draft technical standards due to be submitted to the Commission by 17 January 2024 for adoption and a second batch of technical standards due to be submitted to the commission by 17 July 2024. This second set should help to clarify some of the requirements around threat-led penetration testing, subcontracting of CIFs, and the content and timeline of incident reporting.

Those boards and C-suites that view compliance with DORA as a strategic investment, by allocating it the budget and resources that it requires now, stand the best chance of not only meeting compliance requirements but of having an organisation with an agile resilience posture that can adapt at pace to the continually shifting risk landscape, setting them up for a brighter and more secure reputational and financial future.

Kate Needham-Bennett is senior director of resilience innovation at Fusion Risk Management.

Read more on Regulatory compliance and standard requirements

NIS2: Why organisations need a unified cybersecurity standard