The deadline for complying with the DORA requirements are just a few months away. We have looked into the most demanding yet practical steps your financial institution needs to take.
Complying with the Digital Operational Resilience Act (DORA) involves addressing multiple layers of complexity, including the integration of new requirements into existing frameworks, managing third-party risks, conducting advanced testing, and ensuring board-level involvement.
The resource and cost implications, particularly for smaller institutions, pose significant challenges. Financial institutions must therefore plan comprehensively, allocate resources effectively, and engage in ongoing monitoring to successfully achieve and maintain compliance.
Our research includes feedback from the team developing our digital solution for third-party ICT service provider risk, and white papers from leading industry experts. Based on these, we believe there are eight larger common denominators when it comes to DORA compliance challenges:
1. Complexity of ICT risk management integration
DORA introduces comprehensive ICT risk management requirements that must be integrated with existing frameworks such as the EBA guidelines. Aligning these without overlaps or gaps is a complex task, according to this report by Capgemini.
To address this challenge, start by performing a thorough gap analysis between your current risk management practices and DORA's requirements. Develop a unified ICT risk management framework that includes risk identification, classification, prevention, response, and recovery plans. Engage cross-functional teams to ensure all aspects are covered and that integration with existing protocols is seamless. Regular self-assessments can help identify vulnerabilities and maintain resilience.
2. Enhanced third-party risk management and contractual challenges
Managing risks associated with third-party ICT service providers is intensified under DORA. This includes in-depth risk assessments, creating a comprehensive third-party register, and addressing contractual complexities, especially given the volume and diversity of providers, according to this report by Deloitte.
Begin by establishing a robust third-party risk management framework. Maintain a detailed register of all ICT service providers, distinguishing between those supporting critical and non-critical functions. Review and, if necessary, renegotiate contracts to include DORA-specific clauses, minimizing extensive negotiations by using standardized terms. Collaborate with providers to raise awareness about regulatory requirements, potentially avoiding resistance or cost renegotiations. Develop predefined exit strategies to ensure business continuity if a provider fails or cannot comply.
3. Advanced ICT resilience and threat-led penetration testing (TLPT)
DORA mandates regular ICT resilience testing, including threat-led penetration testing every three years for critical systems, which can be resource-intensive and require specialized expertise.
To meet these requirements, develop an internal testing program aligned with DORA's specifications, according to this report by Capgemini. Ensure your team has the necessary expertise to perform these tests; if not, consider outsourcing TLPT to certified third-party specialists. Include all relevant third-party systems in your testing scenarios. Document all findings meticulously and implement immediate corrective actions based on test results. Seek necessary approvals and certifications for your testing processes as required.
4. Resource constraints, cost management, and scalability issues
Compliance with DORA requires significant investment in technology, cybersecurity measures, and expertise, posing challenges, especially for institutions with limited budgets, according to this report by Deloitte.
To manage resources effectively, prioritize compliance tasks based on risk, focusing first on critical areas like incident reporting and third-party management. Invest in scalable technology solutions that can grow with your organization's needs. Automate routine tasks where possible to reduce manual workload. Consider partnerships with compliance experts or other institutions to share resources and knowledge. Incorporate DORA compliance costs into your long-term financial planning to spread expenditures over time.
5. Strengthened governance, board-level involvement, and stakeholder engagement
DORA requires active involvement from top-level management and boards in ICT risk management, necessitating adjustments in governance structures and increased awareness among stakeholders.
Create a formal governance structure that clearly defines roles and responsibilities for ICT risk oversight at the board level, according to this report by PwC. Develop intuitive reporting tools to keep the board informed about ICT risk performance and compliance status. Provide targeted training for board members and management on DORA's key requirements to facilitate informed decision-making. Engage stakeholders from various departments early in the process to ensure collaboration and buy-in.
6. Standardized regulatory reporting, incident management, and information sharing
DORA mandates standardized reporting of ICT incidents across the EU, requiring institutions to adapt their incident management processes and participate in information-sharing initiatives.
Build a structured incident management process that aligns with DORA's reporting templates and timelines, according to this report by Capgemini. Implement real-time monitoring systems to detect incidents promptly. Set up automated reporting systems that comply with EU standards. Train your staff on proper incident classification and reporting protocols. Participate in relevant groups and consortiums to share and receive intelligence on cyber threats, enhancing collective resilience.
7. Extensive change management and cultural shifts towards operational resilience
Implementing DORA's broad requirements necessitates long timelines and significant organizational change, including fostering a culture of operational resilience.
Develop a phased roadmap that breaks down DORA implementation into manageable steps with clear milestones and deadlines. Apply structured change management strategies, including communication plans and training programs, to help staff adapt to new protocols, tools, and reporting procedures. Promote a culture that values resilience through ongoing education and by embedding resilience objectives into performance metrics. Encourage feedback and adaptability to refine processes and address challenges as they arise, according to this report by PwC.
8. Timely compliance with tight implementation deadlines
The implementation timeline for DORA is strict, with the compliance deadline of 17 January 2025 fast approaching, adding pressure to the already extensive requirements.
To ensure timely compliance, start your efforts as soon as possible. Allocate sufficient resources, including budget and personnel, to meet deadlines. Regularly track your implementation progress against the roadmap and adjust plans as needed. Stay updated with regulatory developments and seek guidance when uncertainties arise. Recognize the implications of missing deadlines and prioritize tasks accordingly.
What do you consider to be your biggest DORA compliance challenges? Do you have a plan for a register for third-party service providers? Feel free to reach out, we are here to help.
