European Union's DORA directive
Operational resilience has become a major regulatory priority across European financial services, underlined by the new EU Digital Operational Resilience Act (DORA). Finalized in late 2022 after extensive industry consultation, DORA aims to ensure financial firms can withstand all types of ICT disruptions and threats.
Foreshadowed by initiatives in the UK and other European jurisdictions, this pioneering legislation seeks to harmonize digital resilience standards across the EU. It will apply to banks, insurance companies, investment firms, financial market infrastructure, and third-party ICT providers.
The key requirements include:
ICT Risk Management: Firms must identify, document and minimize ICT risks through appropriate strategies, tools and controls tailored to their business. This covers risks to data, systems, networks and processes.
Incident Response: Documented incident response and recovery plans will ensure firms can quickly restore services and operations after disruptions. Regular plan testing is mandated.
ICT Continuity: Measures must be in place to substitute failed critical ICT systems and data access within prescribed timeframes. Scenario testing will validate continuity arrangements.
Information Sharing: To boost collective resilience, firms will share cyber intelligence with national authorities through coordinated disclosure platforms. Information sharing between financial sector participants is also encouraged.
Third-party Oversight: Robust due diligence and oversight processes for ICT providers and outsourcing arrangements will reduce third-party dependencies and concentration risks.
ICT Security: Advanced security safeguards must be implemented following the latest standards and guidance. Encryption, identity management, system hardening, and anomaly detection are cited.
Notification Duties: Major ICT incidents and risks need swift notification to authorities and impacted customers as appropriate. This enables coordinated action and transparency.
Testing Notifications: Firms must notify regulators in advance of planned ICT resilience testing to avoid false alarms and wasted responses.
Digital Operational Resilience Testing Framework: The European Banking Authority will develop guidelines on testing methodologies, scenarios and reporting to promote consistent cross-border testing.
Under DORA, competence and accountability for digital resilience rests with firms' boards and senior management. They must approve the operational resilience policies and oversee regular internal reporting.
National regulators will be empowered to impose remedial actions, notifications duties and penalties for non-compliance. The largest firms and critical ICT providers face increased supervisory scrutiny.
DORA enters into force in early 2023, with requirements phased in through 2024-2026. This implementation timeline gives firms time to upgrade legacy systems and workstreams.
Although demanding, these EU-wide standards will incentivize investments in preparedness. And a heightened focus on collective action and public-private collaboration aims to strengthen resilience across Europe's interconnected financial sector. For customers, DORA should result in fewer service disruptions and quicker recovery when incidents do occur.
DecideWright is a UK-based consultancy that delivers solutions in the areas of Strategy Execution and Enterprise Performance Management, Enterprise and Operational Risk Management, Operational Resilience including DORA and Measurement & Metrics, including KPIs & OKRs.
Contact us to see if we are the right firm for your project.