The Digital Operational Resilience Act (DORA) is a new European framework for effective and all-inclusive management of digital risks in financial markets and applies to more than 22,000 financial entities and ICT service providers within the EU.
By introducing a single consistent supervisory approach across the relevant sectors, DORA aims to ensure that financial services firms can maintain resilient operations throughout a cybersecurity or ICT incident causing severe operational disruption.
Which organizations does DORA apply to?
Given its holistic approach, DORA covers a wide range of financial institutions. Not only banks and insurance firms who were already familiar with such regulations in the context of EBA / EIOPA guidelines on ICT security and outsourcing, but also central market infrastructures, credit risk agencies, crypto-asset service providers, investment and management firms, pension firms, payment service providers and trade repositories and venues are within the scope of the new framework.
ICT providers - including cloud service providers - provisioning services for financial institutions may now be subject to the Oversight Framework. Within this framework, competent bodies may designate entities as ‘critical ICT providers’. Designation criteria are to be further specified by European Supervisory Authorities (ESAs), but will mainly be based on criticality of the services provided for the financial market, as well as reliance and substitutability of the ICT provider.
By introducing a single consistent supervisory approach across the relevant sectors, DORA aims to assure that financial services firms can maintain resilient operations through a cybersecurity or ICT incident of severe operational disruption.
When will DORA be enforced?
DORA entered in force on 16 January 2023. With an implementation period of two years along with Level 2 regulatory technical standards to be developed by European Supervisory Authorities (ESAs), financial institutions will be expected to be compliant with the regulation by 17 January 2025.
- On 24 September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP).
- Negotiations under the Portuguese and Slovenian EU Presidency
- The Council of the EU adopts its mandate for negotiations with the EU Parliament
- Following the publications of the European Parliament and the Council's proposals for DORA, the co-legislators hold political and technical trilogues throughout H1 2022.
- The European Council adopts DORA on November 28th, 2022, after the European Parliament voted in favour of the act on November 10th.
DORA enters into force on 16 January 2023.
By June 2023, European Supervisory Authorities (ESAs) are to publish their consultation papers on various Level 2 regulatory and implementing technical standards (RTS & ITS) to further specify certain requirements
ESA to submit regulatory and implementing technical standards to the EU Commission. These standards are to provide entities with specifications and guidance on how to implement specific DORA requirements.
EU Commission to propose further delegated acts (criticality, oversight fees) based on ESA advice
- DORA requirements are enforcable as of 17 January 2025.
What is the scope and which particular topics are to be addressed?
- ICT Risk Management
- ICT-Related Incident Reporting
- Digital Operational Resilience Testing
- ICT Third-Party Risk Management
- Information Sharing
ICT Risk Management
Financial entities are required to set up a comprehensive ICT risk management framework, including:
- set-up and maintenance of resilient ICT systems and tools that minimise the impact of ICT risk,
- identification, classification and documentation of critical functions and assets,
- continuous monitoring of all sources of ICT risks in order to set-up protection and prevention measures,
- prompt detection of anomalous activities,
- establishment of dedicated and comprehensive business continuity policies and disaster and recovery plans, incl. yearly testing of the plans, covering all supporting functions,
- establishment of mechanisms prompting that entities learn from and evolve on both from external events as well as the entity’s own ICT incidents.
ICT-Related Incident Reporting
Financial entities are required to:
- develop a streamlined process to log/classify all ICT-related incidents and determine major incidents according to the criteria detailed in the regulation and further specified by the European Supervisory Authorities (EBA, EIOPA and ESMA),
- submit an initial, intermediate and final report on ICT-related incidents,
- harmonise the reporting of ICT-related incidents through standard templates as developed by the ESAs.
Digital Operational Resilience Testing
The regulation requires all entities to:
- annually perform basic ICT testing of ICT tools and systems,
- identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps by implementing counteractive measures,
- periodically perform advanced Threat-Led Penetration Testing (TLPT) for ICT services which impact critical functions. ICT third-party service providers are required to participate and fully cooperate in the testing activities.
ICT Third-Party Risk Management
Financial entities are required to:
- ensure sound monitoring of risks emanating from the reliance on ICT third-party providers,
- report their complete register of outsourced activities, incl. intra-group services and any changes to the outsourcing of critical services to ICT third-party service providers,
- take account of IT concentration risk and risks arising from sub-outsourcing
- harmonise key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring,
- ensure that the contracts with the ICT third-party providers contain all the necessary monitoring and accessibility details such as a full-service level description, indication of locations where data is being processed, etc.,
- critical ICT third-party service providers will be subject to a Union oversight framework allowing for the competent authorities to issue recommendations on the mitigation of identified ICT risks. Financial entities must consider the ICT third-party risks of their service provider not abiding by the defined recommendation.
Information Sharing
- The regulation allows financial entities to set-up arrangements amongst themselves to exchange cyber threat information and intelligence.
- The supervisory authority will provide relevant anonymised information and intelligence on cyber threats to financial entities. Therefore, entities should implement mechanisms to review and take action on the information shared by the authorities.
Further technical standards to be specified by European Supervisory Authorities
DORA tasks European Supervisory Authorities (EBA,EIOPA and ESMA) to define technical standards and specifics under Level 2 acts that will further guide institutions.
How we can enable you getting there
Targeted workshops
We can scope and deliver targeted workshops that fit to your current process maturity levels:
DORA introduction workshops for management, focusing on strategic DORA requirements
Outlining differences to existing EBA / EIOPA / PSD2 guidelines, and what additionally measures need to be taken to ensure compliance
Deep-dive technical workshops on specific DORA pillars to ensure buy-in and ownership on all organizational levels
Internal controls and template libraries
And much more!
Maturity and fit-gap assessments
Our maturity assessments covering the following focus areas ensure that you are able to scope your implementation roadmap clearly and with ease:
Adapted to your compliance state and needs:
1. Complete DORA Fit-Gap
2. Specific Level 2 technical standards
3. Focusing on additional DORA requirements as compared to existing EBA/EIOPA guidelines
Bottom-up process reviews, based on guided interviews as well as document-based analyses
Top-down strategic resilience planning
Clear prioritisation of the recommendations
Connection to other existing regulations and guidelines
Cyber compliance dashboard
At PwC Austria, our cybersecurity team has a clear focus on IT and information security regulations and guidelines, which is why we have developed our own cyber compliance dashboard to enable you to:
Identify your cybersecurity regulatory risks
Compare regulatory requirements
Slide & Dice according to roles, functions and security frameworks
Internal controls and template libraries
Domain-specific further services and tools to connect
DORA implementation roadmap
With the baseline being your current process landscape, we derive a roadmap to achieve your desired resilience posture, while meeting DORA requirements and regulatory expectations.
Prioritising gaps and recommendations along with their effort and inter-connections
Developing a fit for purpose digital operational resilience framework
Optimisation and streamlining processes
Delivering DORA compliance in line with regulatory expectations
Once the plan is set, we can assist you with the implementation by utilising our expertise and tools.
A long road ahead
One that is by no means a one-shot compliance initiative. Given its complexity and further Level 2 regulatory standards to be set-up, DORA requires regular steering and alignment in the coming years.
Let us be the reliable partner that will keep you on the compliance path with clear guidance and regular steering for DORA over years to come.
Contact us
