DORA – Bolstering and Harmonising Operational Resilience Across the EU.
See full article at https://cjcit.com/insight/dora-navigating-the-eus-operational-resilience-landscape/
The EU’s DORA is inevitable and will have rippling effects beyond the union. It supersedes previous industry-specific operational resilience guidelines and overcomes national disparities, harmonising guidelines for key focus areas across the entire financial
industry value chain to establish a common framework across the union. This insight explores the macro impacts of DORA, summarising key sections of DORA’s full text to define:
- What Is DORA and Its 5 Focus Areas?
- Why Is DORA Important?
- Who Does DORA Apply To?
- DORA Compliance vs. Non-Compliance.
Digital technologies are pivotal for global financial and capital market firms to support complex systems, it is critical for the delivery of typical business functions and revenue-generating activities. Digitalisation and the resulting interconnectivity
enable greater efficiency and cost savings but also amplify Information and communication technology (ICT) risks and increase the financial system’s vulnerability to cyber threats or disruptions.
Despite targeted policy and legislative initiatives at the national level, the European Union (EU) recognises the critical need to harmonise and bolster operational resilience across its member states to protect the integrity and efficiency of the internal
market, particularly considering escalating cyber threats1 and disruption
incidents2. A view recently echoed by Liquidnet3:
“The industry is only as strong as its weakest link […] 2024 will not only represent greater regulatory scrutiny of compliance, risks, and controls as well as technology interoperability, but individual responsibility in making the eco-system function optimally.”
Addressing the ongoing resilience challenges, the EU introduced the Digital Operational Resilience Act (DORA) to fortify ICT security and operational robustness for financial entities.
What Is DORA and Its 5 Focus Areas?
DORA was adopted by the European Parliament and the Council on the 14th of December 2022, with compliance required by January 17th, 2025. The regulation aims to consolidate and enhance digital operational resilience across the financial landscape that has,
up to this point, been addressed separately in various Union legal acts via a common framework4 for the digital operational resilience
of financial entities to better withstand and recover from breaches and ICT incidents.
DORA's 5 Areas of Focus:
- ICT Risk Management.
- ICT-related Incident Management, Classification & Reporting.
- Digital Operational Resilience Testing.
- ICT Third-Party Risk Management.
- Information Sharing Arrangements.
Why Is DORA Important?
DORA builds on and supersedes earlier industry-specific guidelines to overcome disparities and consistently consolidates guidelines for key areas across the entire value chain. It is unique because it introduces a union-level common oversight framework on
critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs)5.
With the financial sector reliant on digital ICT systems and as interconnectivity grows, ICT risks and vulnerabilities will have an increasingly disruptive cross-border impact across the union, which amplifies the effect of operational disruptions and cyber
threats at financial firms. DORA acknowledges that digitalisation now encompasses critical financial functions6 like
payments, securities clearing, algorithmic trading, and back-office operations. It aims to bolster the operational resilience of these functions to maintain overall financial stability and protect consumer trust within the internal markets. DORA aims to preserve
market confidence by ensuring the seamless provision of financial services even during challenging scenarios.
Who Does DORA Apply To?
DORA applies to all financial institutions in the EU and the ICT third-party service providers supplying services to support them. A recent insight10 addressed
this. The EU’s DORA regulation introduces specific and prescriptive requirements for all financial market participants.
DORA – Financial Entities
To comply with DORA, financial entities must enhance ICT risk-related management practices, which include identifying, assessing, and mitigating risks associated with digital operations. DORA also introduces prompt ICT incident reporting obligations to the
relevant authorities for critical function disruptions. Also, institutions must regularly simulate various disruptions to test operational resilience and recovery capabilities.
Notably, DORA emphasizes that financial entities must assess and manage the third-party ICT risk of their service providers and ensure contractual arrangements address operational resilience. This relates to the concentration of risk (DORA Article 2911)
and follows incidents like the OPRA outage12, and cybercrime targeting critical suppliers
in the financial supply chain like the Ion Group hack last year13 or
cloud computing vendors14, where a
single incident potentially impacts multiple financial entities.
It should be noted that the impact of outages is not limited to firms and end-users, with repercussions potentially overflowing onto personal finances as demonstrated by DBS bank15 earlier
this year.
DORA –Third-Party Dependencies and Operational Resilience
Financial entities have increasingly relied on third-party providers to deliver critical parts of their operations and services, subsequently, DORA also significantly affects third-party dependencies. These third parties include cloud service providers,
data vendors, software developers, and other technology partners. Outsourcing certain functions can enhance efficiency and reduce costs, but as we saw with Ion, it also introduces new risks. Authorities must now look beyond the resilience of individual regulated
firms and assess the sector’s wider operational resilience.
DORA emphasizes the importance of robust risk management practices for third-party dependencies aiming to bolster the overall resilience of the financial sector in the digital age. These include:
- Broad Scope of ICT Third-Party Risk – To enhance operational resilience across the financial services sector DORA casts a wide net to define ICT third-party risk. For example, DORA Article 3 (18)16 defines
ICT third-party risk as any ICT risk – Article 3 (5)17 – that may arise for a financial entity derived from using ICT services provided
by a third-party service provider, subcontractors, or outsourcing arrangements.
- Risk Management Practices for Third-Party Vendors – DORA mandates appropriate risk management practices for third-party vendors to reduce operational risks associated with third-party relationships and ensure resilience. It also aims to implement a harmonised
regulatory framework for third-party vendor risk management across the EU (Article 1518).
- Critical ICT Third-Party Providers – DORA recognises the critical role of ICT service providers in financial services. If a third party is deemed critical, like CJC in some instances, they must comply with DORA’s requirements. Notably, critical third parties
outside the EU are required to establish a subsidiary within the EU – Article 31 (12)19 – although preamble (82)20 notes
the requirement “should not prevent the critical ICT third-party service provider from supplying ICT services and related technical support from facilities and infrastructure located outside the Union.”
Speaking about operational resilience and DORA compliance, Gina Wee, Chief Information Officer at CJC said, "From implementing robust encryption and strict access control to conducting regular audits, CJC upholds high levels of compliance to ensure data
security. Combined with proactive planning, adaptive procedures and a culture of continual improvement, we ensure uninterrupted services to our clients. We hope our commitment to information security, operational resilience and accountability provides our
clients peace of mind and confidence in our managed services."
DORA Compliance vs. Non-Compliance
The Risk of Non-Compliance
Not complying with DORA may lead to reputational damage, financial losses, and regulatory penalties. Firms that fail to comply with DORA’s requirements risk operational disruptions, customer dissatisfaction, and potential legal consequences.
DORA Compliance – 3 Considerations & Best Practices
To comply with DORA, financial institutions must comprehensively map existing third-party dependencies and involve understanding the services of outsourced functions to identify critical dependencies. Step 2 assesses the resilience of the mapped dependencies
to evaluate their service provider’s operational capabilities, security measures and disaster recovery plans. Finally, contractual agreements with third parties should specifically address operational resilience requirements. This includes provisions for incident
reporting, business continuity, and recovery time objectives.
To stay compliant, financial institutions can take several steps to implement best practices to ensure continuous compliance with DORA. These include:
- Due Diligence – When selecting third-party providers, conduct thorough due diligence by considering their record of accomplishment, financial stability, and operational resilience.
- Scenario Testing – Simulate various scenarios with third parties to test the effectiveness of recovery plans. This should include cyberattacks, system failures, and natural disasters.
- Continuous Monitoring – Monitor third-party performance and compliance regularly, being prepared to adapt should resilience postures change.
Final Words:
DORA is not just a regulation; it is a strategic opportunity to enhance your operational resilience and build trust in the digital age. As the leading market data technology consultancy and service provider for global financial markets, CJC treats its position
as a critical third-party supplier of market data-managed services to the capital market community seriously. No matter the service level, DORA-compliant standards and transparency are out-of-the-box from CJC, which provides multi-award-winning consultancy,
managed services, cloud solutions, observability, and professional commercial management services for mission-critical market data systems. CJC is vendor-neutral and ISO 27001 certified, enabling CJC’s partners the freedom to focus on their core business.