The Digital Operational Resilience Act (DORA), published in the Official Journal of the European Union, has come into force on 16th January 2023.The new Regulation will apply from 17th January 2025. Read more about the implications of DORA for UK firms here.
The European Union (EU) is implementing DORA as part of its drive to reduce the vulnerabilities and strengthen the resilience of critical organisations such as banks, insurance companies and investment firms. It is primarily designed to consolidate and upgrade Information and Communications Technology (ICT) risk requirements so that all participants are subjected to the same set of standards.
DORA applies to a wide range of financial service sectors that operate within the EU, including Insurance, Investment, and Payment firms.
But how do UK and Irish financial service firms that operate in Europe consolidate their current Operational Resilience and TPRM programmes with DORA?
Dan Waltham, Director at FourthLine explores this further in his blog:Thoughts on consolidating CBI Outsourcing, Operational Resilience and DORA delivery.
What are the main obligations of DORA?
- ICT Risk Management: DORA sets out several key requirements for firms to establish and maintain resilient ICT systems that seek to minimise the magnitude from any disruptive event. ICT risk should be continually, and proactively identified, and preventative controls uplifted and maintained, to ensure that they are always effective and fit for purpose. Given that firms realistically won’t be able to prevent every threat, they must maintain a readiness to respond when a disruption does occur. This means creating, maintaining, and testing BCM and DR plans to ensure prompt recovery following a disruptive event. Lastly, firms must incorporate lessons learned from any disruptive event feeding back to the proactive risk identification, prevention, and detection stages.
- ICT Incident Reporting: A process should be established to monitor and capture ICT-associated incidents. The firm should establish mechanisms that develop capabilities to monitor, manage, and follow up on incidents including reporting incidents to the appropriate authorities using a common template. In addition, the firm should submit regular update reports on ICT incidents to its users and clients.
- Digital Operational Resilience Testing: Firms should implement, and regularly conduct, a proportional and risk-based digital operational resilience testing program. In addition, firms should conduct Threat Led Penetration Testing (TLTP) to address higher levels of risk exposure. Where testing identifies weaknesses or gaps, these must be addressed with uplifted or new preventative measures to prevent re-occurrence.
- ICT Third Party Risk: Firms should ensure that critical third parties are treated as an extension of their ICT Risk Management Framework which means firms must monitor and manage any risks where a third party is a critical component of a service or ICT application.
- Information sharing: Firms should create and maintain a process to share cyber threat information and intelligence, provided that such exchange of information aims to enhance ICT resilience across the financial services sector.
How FourthLine can help
Do you need expert assurance and benchmarking on your firm's programmes for Resilience, DORA and TPRM compliance?
Enquire about our free review here, or book a time with one of our consultants here now.