What You May Not Know About DORA — But Should
August 29, 2023
European financial services firms will have less than 24 months to comply with the European Council’s Digital Operational Resilience Act (“DORA”) once it’s formalized later this year. Acting now has major advantages.
If you’re an IT manager of a financial services firm in the European Union (“EU”), you no doubt have had your eye on DORA for almost two years now. DORA — the Digital Operational Resilience Act — is expected to go into full effect this fall following a review period that began in September 2020. When the Act arrives, all EU financial services (“FS”) firms will have less than 24 months to strengthen their cybersecurity stance to comply with its new regulations.1
Now, if you’re on the board of an FS, or are senior management, you may not have been paying that much attention to DORA. And why should you? Isn’t DORA essentially an IT issue? Can’t your best tech folks handle compliance and testing?
You could go that route. But given the origins and intent of the new law, you may be seriously underestimating the significant challenges to compliance. Moreover, you might be missing a unique opportunity for strategic compliance that can benefit your organization. That’s because DORA is not only about strengthening cybersecurity — it’s about building operational resilience across the full enterprise.
Ask any IT manager about this last point and you’ll likely hear a mantra they’ve long preached: Cybersecurity and resilience should be integral elements of business implementation.
A Focus on ICT
To grasp this point more fully, let’s take a brief look at where DORA came from and its goals. For years, national governing bodies within the EU exercised their own discretion when it came to cybersecurity in financial services. That discretion led to a patchwork of incident reporting processes and directives that contributed to increasing compliance costs for organizations.2
DORA harmonizes rules and regulations, aiming for consistency across the EU to maintain operations through severe operational disruption. Specifically, the EU hopes the new laws will help FS firms better withstand, respond to and recover from the threats to information communication technologies (“ICTs”). Given the business imperatives of maintaining ICT, DORA is intended to add stability and confidence within the financial system.3
DORA will have far-reaching implications. Here, we ask and answer questions related to the new regulatory framework that may be on the minds of boards and senior managers.
Q. Just how different is DORA from the current regulations my firm is operating under?
A. That depends on the regulations of your governing body. But the important thing to know about DORA is that it is much more interventionist than any existing guidelines. And it’s much more prescriptive than anything previously issued. It bears repeating: The EU is focused on the central role of ICT in the financial services sector. As such, the flaws and vulnerabilities in digital infrastructures are not just IT problems, but firm-wide issues. You’ll need to move away from thinking “cyber compliance” to thinking “cyber assurance.”
Q. Can’t we just wait a year or so to get started on compliance?
A. You can, but getting out ahead of a new law that is such a heavy lift and features harsh penalties and consequences for failure to comply is in the best interest of many firms. Banks and insurance agencies are already mobilizing enterprise-wide DORA initiatives this year.4 If you wait and decide to simply tinker around the edges of your core platforms, it might seem less disruptive, but you’ll layer in a huge amount of additional infrastructure.
Q: We’re not a financial services firm, but we partner with one. Does DORA apply to us?
A. Almost all financial entities will be subject to DORA. For instance, third parties that provide ICT-related services to financial services firms, such as cloud platforms and data analytics services, must be compliant. And the European Council says that “[c]ritical third-country ICT service providers to financial entities in the EU will be required to establish a subsidiary within the EU.”5
Q. What’s one thing that I might overlook when implementing DORA?
A. As noted, DORA has numerous requirements across all aspects of digital operational resilience. Have you considered, for instance, how you’ll handle crisis communications if you suffer a cyber incident when the law is in effect? It’s mandatory under DORA to report all incidents, and having a plan ahead of time can mitigate reputational risk.6
Q. There are five key pillars associated with DORA (see sidebar). Which should I prioritize first?
A. All five are interrelated and should be approached jointly. For the sake of space, this article presents only the “digital operational resilience testing” pillar. Subsequent articles will cover the remaining four pillars.
Q. Okay, tell me about digital operational resilience testing.
A. The pillar will require financial organizations to undergo regular testing by independent parties. Legislators are still working to clarify the testing methodology and how multiple entities will recognize the testing results. But under the provisional agreement, “penetration tests” are based on existing EU initiatives like TIBER-EU, a framework that “mimics the tactics, techniques and procedures of real-life attackers, based on bespoke threat intelligence.”7The tests are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems.
Q. Now that I know about the testing pillar, what’s the most important thing I should keep in mind when running a testing program?
A. That it should center on the customer. Given that DORA is intended to boost stability and confidence in the financial systems, any digital operational resilience testing program must deliver against customer expectations.
* FTI Consulting organizes the requirements of DORA into five key pillars; other sources may organize them differently
1: FTI Perspectives, “DORA Overview for Permanent TSB (FTI Perspectives,” April 2022, p. 3
2: FTI Cybersecurity, “The Digital Operational Resilience Act (DORA): Key questions business leaders should be asking,” FTI Consulting, December 29, 2020, https://fticybersecurity.com/2020-12/the-digital-operational-resilience-act-dora-key-questions-business-leaders-should-be-asking/
3: Council of the EU, “Digital finance, provisional agreement reached on DORA,” May 11, 2022 https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital-finance-provisional-agreement-reached-on-dora/
4: Lafarge, Joanna Grove “What firms can expect from DORA,” Global Risk Regulator,” February 4, 2021, https://www.globalriskregulator.com/Subjects/Reporting-and-Governance/What-firms-can-expect-from-DORA
5: Council of the EU, “Digital finance, provisional agreement reached on DORA,” May 11, 2022 https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital-finance-provisional-agreement-reached-on-dora/
6: Moinuddin, Ali, “The Global Drive for Better Financial Sector Operational Resilience,” International Banker, June 7, 2022, https://internationalbanker.com/finance/the-global-drive-for-better-financial-sector-operational-resilience/
7: European Central Bank, “What is TIBER-EU,” https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html#:~:text=TIBER%2DEU%20is%20the%20European,carrying%20out%20a%20controlled%20cyberattack.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
About The Journal
The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.