As stated in our first article: “DORA – Let’s turn regulatory challenges into strategic advantages” we provided a breakdown of DORA describing what it is, why it matters and last but not least answered the question: Who needs to care about it?
The answer to the last question is (i) financial entities and (ii) third-party providers of Information and Communication Technology (ICT) services (“TSPs”).
In this second article, we break down what financial entities need to do to start their DORA compliance journey.
In our next article, we will break down what third-party providers of ICT services need to do to start their DORA compliance journey.
What financial entities need to do under DORA
- ICT Risk Management
A primary requirement under DORA is the establishment of a comprehensive ICT risk management framework. Some may say: We have this already but please note that this goes beyond general IT security protocols and requires financial entities to take a proactive approach to identifying, assessing, and mitigating risks related to their digital operations.
What to do:
Conduct Regular Risk Assessments: Perform detailed ICT risk assessments to evaluate vulnerabilities, potential impacts, and threats to your organisation’s digital infrastructure. This should include risks related to data breaches, cyber-attacks, system failures, and hardware malfunctions.
Establish Governance and Controls: Implement a governance framework that assigns clear responsibilities for ICT risk management. Designate individuals or teams to monitor, report, and mitigate risks and ensure that appropriate safeguards are in place.
Ensure Continuity and Recovery Plans: Develop robust business continuity and disaster recovery plans. These should outline how your organisation will respond to ICT disruptions, ensuring minimal downtime and rapid recovery to maintain service delivery.
- Incident Reporting
Financial entities need to ensure they have mechanisms in place to detect, report, and resolve incidents in a structured way. This requirement aims to improve transparency across the sector, making it easier for regulators to monitor and address systemic risks.
What to do:
Set Up a Clear Incident Reporting Process: Establish a process to report incidents internally and to regulators.
Prepare for Incident Investigations: Prepare for investigation of each incident, determining its root cause, impact, and how to prevent it from recurring. Document all findings.
Test Your Incident Response Plan: Regularly test your incident response plan through drills and simulations to make sure that all stakeholders understand their roles and responsibilities during an actual incident.
- ICT Testing
Testing is a fundamental aspect of DORA’s operational resilience requirements. Financial entities need to demonstrate that their ICT systems can withstand and recover from a wide variety of disruptions.
What to do:
Conduct Regular ICT Resilience Tests: Perform stress tests and scenario-based testing on your ICT systems to identify weaknesses such as penetration testing, disaster recovery drills, and table-top exercises to simulate real-world threats.
Test Against Specific Threat Scenarios: Test your systems against different types of disruptions to ensure they can continue functioning under different stress conditions.
Ensure Independent Testing: Consider engaging external experts to provide an independent assessment of your ICT resilience for the purpose of identifying blind spots that internal teams may overlook.
- Managing Third-Party Risks
Under DORA, financial entities are required to ensure that TSPs — cloud service providers, software vendors, or other outsourcing partners — meet the same operational resilience standards that the financial entity itself must comply with. Please see below under “What third-party ICT services providers need to do under DORA”.
What to do:
Assess TSPs: Conduct due diligence on TSPs to assess their ability to meet DORA’s resilience standards including evaluation of their security measures, incident response capabilities, and business continuity planning.
Establish Strong Contractual Terms: Ensure that contracts with TSPs include clear terms on ICT risk management, incident reporting, resilience testing, and response expectations. The contractual terms are clearly regulated in Article 30 DORA; Article 30.2 regulate “regular” ICT Services and Article 30.3 regulate ICT Services which are critical or important to the financial entity. These should also provide for regulatory oversight and regular audits. Please see below under “What third-party ICT services providers need to do under DORA”.
Monitor Third-Party Performance: Continuously monitor TSPs to ensure they maintain compliance with agreed-upon resilience standards. Set up periodic reviews, including audits and performance assessments, to mitigate risks.
Key Takeaways
To comply with DORA, financial entities must integrate ICT risk management into their organisational culture, implement rigorous testing protocols, ensure effective incident reporting, and carefully manage third-party risks.
While the requirements are comprehensive, taking a structured approach to each of these areas will help financial entities ensure resilience and mitigate the potential impact of ICT disruptions. Compliance with DORA is not an optional task; it is an essential part of maintaining the trust of regulators, customers, and other stakeholders in the digital age.
