The clock is ticking for financial institutions in the EU to achieve compliance with the Digital Operational Resilience Act (DORA). This groundbreaking regulation harmonises digital resilience standards, raising the bar for operational resilience across the financial sector. With the 17 January 2025 deadline rapidly approaching, and stringent requirements spanning ICT risk management, incident reporting, third-party risk management, and resilience testing, immediate action is imperative for financial firms.
While many firms already meet some of DORA’s requirements through existing EU resilience and cybersecurity laws, the regulation moves the goal posts even further in some areas. DORA consolidates previous regulations but introduces more detailed and specific requirements than many principle-based approaches, such as extensive provisions for managing critical third-party providers (CTPPs).
A comprehensive assessment is crucial to understand compliance gaps and accelerate targeted efforts in weak areas.
Compliance with DORA is not just a regulatory obligation; it’s a strategic imperative for mitigating risks and safeguarding firms’ reputation. Failure to comply by the 17 January 2025 deadline can result in severe penalties and fines imposed by national competent authorities.
CROs, COOs, CISOs, Heads of operational resilience, ICT risk teams, third party risk management and outsourcing teams in financial services firms must act now to ensure compliance with DORA regulation by 17 January 2025.
Financial services organisations must fully assess their operations as a result of DORA regulations. They are now trying to estimate how much of the previous regulations will help them meet DORA requirements. But more importantly, how much more is needed to be DORA compliant.
We provide below our views on what additional new requirements DORA bring in this space and what challenges lie ahead:
Navigating the DORA Landscape
Management of ICT risk
DORA mandates a comprehensive ICT risk management framework that aligns with its requirements for risk identification, protection, prevention, detection, response, and recovery. Financial entities must enhance their existing frameworks to comply with DORA’s standards.
Incident handling
The regulation introduces robust incident management and reporting processes. Financial institutions must establish systems to classify, analyse, and report major ICT-related incidents to competent authorities within specified timeframes.
Resilience testing
DORA requires the implementation of a comprehensive digital operational resilience testing program. This includes scenario-based tests, threat-led penetration testing, and independent assessments of critical systems and applications. Larger institutions must conduct threat-based penetration testing by accredited third parties.
Third-party risk management
One of DORA’s most significant aspects is the enhanced management of third-party providers, particularly those designated as “critical” by the European Supervisory Authorities (ESAs). Financial entities must conduct thorough risk assessments, renegotiate contracts to include DORA-mandated clauses, and implement robust oversight mechanisms for subcontractors supporting critical functions.
Threat intelligence sharing
DORA emphasizes the importance of cyber threat information and intelligence sharing among financial institutions. While currently voluntary, this aspect is expected to become mandatory in the future. Financial institutions and ICT third-party providers must act swiftly to achieve DORA compliance by the January 2025 deadline, as non-compliance can result in severe penalties and fines imposed by national competent authorities.
DORA entered into force on 16 January 2023, and financial entities must achieve full compliance by 17 January 2025. However, the journey to compliance is complex, with various standards and technical specifications being finalised in batches. The first batch of standards was finalized in January 2024, while the second batch is expected to be completed by July 2024, leaving a narrow window for implementation.
Scope of DORA – Who needs to comply
DORA’s impact is far-reaching, covering financial entities operating within the European Union, regardless of their headquarters’ location. These entities must comply with DORA in their EU operations and decide whether to implement DORA’s requirements across their global operations.
How we can help unlock resilience and mitigate risks
GenHive offers a comprehensive suite of services to guide you through the complexities of DORA compliance. Our AI-powered platform streamlines the gap analysis process, identifying areas of non-compliance and providing tailored recommendations.
Beyond streamlining your processes, GenHive can also help with:
– Expert guidance. We assemble a dedicated cross-functional project team to oversee compliance initiatives.
– Leveraging legacy. We help you identify existing artefacts addressing other regulations that can be used for compliance with DORA.
– Framework optimisation. We work alongside your team to enhance your ICT risk management framework to align with DORA’s stringent requirements.
– Third-party risk management. We strengthen the management of third-party through risk assessments, contract renegotiations, and robust oversight mechanisms.
– Implementation. We implement robust incident management processes and reporting systems, streamlining your operations.
– Resilience testing. We design comprehensive digital operational resilience testing programs to identify and address potential vulnerabilities.
Don’t let the DORA compliance deadline catch you unprepared.
Partner with GenHive to leverage the power of AI and access a team of experts to accelerate the implementation of DORA.
