The requirements are more stringent for larger, systemically important institutions, which will need to conduct more extensive risk assessments and implement more sophisticated security measures.
The Act sets out a uniform set of requirements for network security and IT systems, but there is a difference in how the EU and UK define what is considered “crucial.” In the EU, “critical and important functions” are those that are essential for the digital operation of a financial institution. In the UK, “important business services” are those that are essential for the entire business function of a financial institution, including all those who are affected by it.
This means that the EU will focus more on the digital aspects of operational resilience, while the UK will take a more holistic approach.
Although DORA came into force in January 2023, financial institutions have until 17th January 2025 to ensure that their systems and processes comply.
DORA rests on five pillars
The most important objective of DORA is that financial institutions are able protect themselves against risk and have a plan to mitigate risk, to ensure continuity in a time of crisis. The legislation focuses on five pillars:
- ICT Risk Management – This involves setting out roles and responsibilities for managing ICT risks, determining appropriate risk tolerance levels, and building a comprehensive risk management framework for ICT related functions.
- ICT related incident management, classification and reporting – This is about creating processes to log ICT incidents and harmonise reporting through standard templates developed by the European Supervisory Authorities (ESA). Firms are expected to notify governing bodies of a relevant incident the day it occurs, submit an intermediate report within a week, and a final report within a month of the event.
- Digital Operational Resilience Testing – Testing of critical ICT systems and applications is required annually. The ESA may also require significant financial entities to carry out advanced threat-led penetration testing every 3 years.
- Information and Intelligence Sharing Arrangements – Firms are encouraged to set up arrangements within trusted communities to exchange anonymised cyber threat information and intelligence.
- Third party Risk Management – Firms need to review their management of ICT third party risks stemming from contractual agreements. They should maintain a register of these and report any new ICT services to regulators at least annually. Minimum contractual provisions should be set out for ICT services, with clear exit strategies in case a contract is terminated. Concentration risk must be monitored and mitigated including those arising through sub-outsourcing.
Standard contractual clauses have been provided for cloud computing, and although voluntary, they are an easy to implement solution.
BeyondFS can provide guidance and solutions to help you define your organisation’s DORA requirements and build a foundation for successful implementation. We have a tested vendor selection framework and an established network of trusted third-party fintech providers that can help you manage third-party risks effectively. We have experts in risk transformation, governance frameworks, and design and implementation of target operating models.
Helping a bank understand their important business services
Our consultants supported a global bank in their journey towards compliance against operational resilience requirements . Their teams required significant training around the topic, and we ran workshops to help them understand the requirements fully.
The three-month engagement was split into:
- Methodology workshops and the creation of a catalogue of business services impacted by the regulation.
- Pilot end-to-end process mapping, setting impact tolerance, scenario testing and documentation of lessons learnt.
- A comprehensive communication and delivery plan for the team in charge of Operational Resilience.
The client now has a catalogue of important business services for corporate banking, and a consolidated list for both wholesale and retail banking. There is a clearly documented methodology which the client is replicating across multiple business functions, and a scenario testing library that contains severe but plausible scenarios for future testing – setting the organisation up and preparing them for future risk management.
If you would like to know more about how we can support you to become DORA compliant, please reach out to us on info@beyondfs.co.uk.