Businesses had two years to make sure they were compliant with The European Union’s Digital Operational Resilience Act. DORA was designed to accomplish two main things – to address ICT risk management in the financial services sector and to harmonise risk management regulations that already exist in individual EU member states. Jason Smith, Senior Principal, Strategy & Transformation at Conga, outlines how organisations can comply with the regulations.
The European Union’s (EU’s) Digital Operational Resilience Act (DORA) entered into force on January 16, 2023, with an application date set for January 17, 2025. The legislation, which mandates that financial institutions strengthen their IT security and operational resilience, has forced businesses to adopt stringent new protocols or face serious penalties. Now the transition period has drawn to a close, organisations need to remain vigilant and ensure that they and their partners are fully compliant.
As set out in the initial mandates, there are five core pillars to DORA. These include:
● ICT risk management – Financial institutions need to understand internal and external threats, evaluate their impact and develop appropriate strategies to mitigate them
● Incident reporting – Organisations must be transparent about data incidents and have robust systems to detect, report and analyse all incidents
● Digital operational resilience testing – Organisations must conduct a range of assessments and testing to demonstrate compliance and safety at all times
● Third-party risk management – Financial institutions have a responsibility to conduct due diligence and monitoring third-party risk
● Information sharing – This includes establishing a framework for information sharing and ensuring this is done confidentially and in compliance with current data protection laws
DORA was designed to accomplish two main things. Firstly, to address ICT (information and
communications technology) risk management in the financial services sector to prevent or reduce the harm posed by cyberattacks, data leaks and outages. Secondly, to harmonise risk management regulations that already exist in individual EU member states.
Initially, organisations were concerned with the scope of the DORA mandates. According to a report by McKinsey, enterprises felt that there was not much clarity regarding the key items or terms. For example, the definitions of ‘critical’ or important functions and which companies were considered critical third-party (CTP) providers.
There was also concern over the timeline, especially given the complexity of some of the regulatory requirements, which required significant lead time for implementation, such as updating all relevant third-party contracts. Of which, contract lifecycle management tools proved invaluable. As well as uncertainty over scoping, which, for organisations, led to increased budget allocations in order to meet the DORA obligations on time.
There were also reactions from industry bodies and membership organisations. For example, the Futures Industry Association (FIA) responded to the European Supervisory Authorities’ (ESAs) consultations on DORA’s policy products in September 2023. The FIA was also concerned with the classification of ICT-related incidents and the approach followed to incorporate proportionality in the Regulatory Technical Standards (RTS).
Lastly, there are the penalties themselves. Those businesses that are considered critical third parties, could face fines of up to €5,000,000. Whereas financial institutions that are not compliant could be fined up to 2% of their annual worldwide turnover compared to individuals who can be fined up to €1,000,000 respectively.
Compliance 101 – review, assess, react
Now that the deadline has passed, organisations need to remain vigilant for the year ahead. As a first step, financial institutions must ensure that they understand the regulations and how it applies to them and their partners, particularly as they agree to new partnerships in the future. It is important that organisations review their processes to ensure they are compliant. This is best done by conducting a gap analysis of existing contracts and assessing ICT third-party risks on a regular basis.
A gap analysis is a strategic planning method that involves comparing an organisation’s current performance to its desired performance. In the case of DORA, a gap analysis would be used to identify and address gaps in company’s current ICT policies.
Assessing third-party risk will also be key. This is particularly true in the wake of the CrowdStrike outage in July 2024, which disabled an estimated 8.5 million Microsoft devices and affected businesses around the world. Regulatory bodies will be extra cautious and monitoring organisations to ensure this kind of event never happens again.
Moving forward, all enterprises have to consider their third-party providers’ security, as well as where their customer data is stored and to what extent they can audit the services of the provider. Most importantly, financial institutions need to hold their vendors accountable.
The more prepared firms would have implemented a centralised contract lifecycle management (CLM) system to automate vendor risk assessments and contractual agreements to ensure that they met the new standards. Others may still have gaps in their third-party risk oversight and any new contracts will pose further compliance issues.
CLM and contract intelligence software enable organisations to extract commercial terms from a contract and transform them into verified data. As this can be done in bulk, it allows for a much more efficient process when it comes to identifying risks. Artificial Intelligence (AI) can also be utilised to identify any potential risks and suggest alternative language to mitigate these risks.
2025: Navigating the regulatory landscape
Now that DORA has been fully implemented, the most important thing for financial organisations is to ensure that they understand the regulations fully and keep on top of their contracts, existing and new, including with partners and third parties in order to prevent falling foul of compliance. DORA is not a one-time effort and in the post-DORA landscape, organisations will need to be agile and prepared for any potential changes in future legislation. Operational resilience is now a strategic imperative.
The best way to approach this for a business is to review their data and systems, establish and invest in the right technologies to ensure that they are in the best position to adapt to regulatory updates or changes and navigate the ever-changing business landscape.