Digital Operational Resilience Act (DORA)

The proposed Digital Operational Resilience Act (DORA) aims to harmonize ICT risk requirements across Europe. What does that mean for you?

The Digital Operational Resilience Act (DORA) Proposal was published in response to the European Commission’s Digital Finance Strategy (September 2020), which tackles digital transformation risk mitigation through prescriptive and consistent rules on digital operational resilience. It aims to create one unified approach across Europe, across regulators and across the financial services industry.

Whilst official regulation is still in draft form within Europe, regulators expect financial institutions to begin focussing on operational resilience. Moreover, we see an increased interest in the Belgian financial services sector. The December 2020 Statement issued by the European Central Bank (ECB) regarding supervisory cooperation on operational resilience focused on the following key points:

• The importance of operational resilience and      the ability of banks to recover from operational disruption,
• The recognition of activities undertaken by      the industry to date (while acknowledging that more work is to be done to      ensure resilience against operational disruption),
• The requirement to ensure that banks are      resilient to potential operational disruptions from all hazards, including      severe but plausible cybersecurity incidents,
• The ECB’s commitment to working closely with      the Fed and PRA to coordinate supervisory approaches.

Operational Resilience is an existing key strategic theme across the financial services industry as well as wider across Information Communications and Technology companies providing services to financial services firms. To date, we have seen a number of interest groups publish their approach to Operational Resilience and DORA specifically. 

DORA will apply to the whole financial sector. It will also apply to firms captured within the expanded regulatory perimeter under the term ‘critical ICT third-party service providers’, which will include services such as cloud resources, data analytics and audit.

Although the Act is currently still in draft form and the final regulations are only expected to be published by 2022, it is imperative for firms to start thinking about, and working on, their operational resilience journey.

Below we present high-level items to help you understand the regulation and identify where to focus. It outlines DORA’s specific objectives:

1. Address ICT risks and strengthen digital      resilience,
2. Streamline ICT-incident reporting,
3. Provide access for supervisors to ICT      incident-related information,
4. Ensure assessment of preventive and resilience      measures,
5. Facilitate cross-border acceptance of testing      results,
6. Govern the monitoring of ICT third-party      providers,
7. Oversee critical ICT third-party providers,
8. Exchange threat intelligence.

Despite this regulation being brand new, geevo® can help you prepare. We have a track record of delivering operational resilience transformation projects through our multidisciplinary teams, and can help you evolve, grow and comply in this rapidly changing regulatory environment.