Are you a board member, a C-Suite executive, the CIO, an ICT manager or a third-party ICT vendor? What DORA is to you depends on your role.
The Digital Operational Resilience Act (DORA) is an EU regulation aimed at enhancing the digital operational resilience of financial entities. It mandates that these institutions can withstand, respond to, and recover from ICT-related disruptions and threats. DORA will be applicable from January 17, 2025, and builds upon existing frameworks like those from the European Banking Authority (EBA) and national regulations.
So far, so good, but what is DORA to various stakeholders? In this article we set out to answer what DORA is for people in five different roles: Board members, C-Suite executives, CIOs, ICT managers and third-party fintech vendors. For each role, we give a brief description of the DORA responsibilities, as well as a set of questions that should be answered to make sure you do your part.
Our research includes feedback from the team developing our digital solution for third-party ICT service provider risk, and white papers from leading industry experts. Based on these, we believe there are eight larger common denominators when it comes to DORA compliance challenges:
Board members hold the ultimate responsibility for complying with DORA
Board members hold ultimate responsibility for the entity's ICT risk management and operational resilience strategy. The board room is the place for strategic oversight. Thus, board members must define, approve, and oversee the implementation of the ICT risk management framework, ensuring it aligns with the organization's overall risk appetite and business objectives.
To approach the challenge at hand, most board members need to enhance or update their ICT knowledge. Board members should acquire sufficient knowledge to understand and assess ICT risks and their potential impact on the organization. Then comes the regular reviews: Board members should conduct periodic assessments of ICT-related risks and the effectiveness of implemented controls.
Having the ultimate responsibility, board members should ask the C-Suite executive (and CIO) questions regarding the full scope of DORA:
- Can you outline the ICT risk management framework we've implemented to meet DORA standards?
- How are we identifying, assessing, and mitigating ICT-related risks in accordance with DORA?
- How is our incident response plan structured to handle ICT disruptions, and how often is it tested?
- What due diligence processes are in place for selecting and monitoring third-party ICT vendors?
- Can you describe the threat-led penetration testing program we have implemented?
- What training programs are in place to enhance staff awareness and capabilities regarding ICT risks and DORA compliance?
- Do we have the necessary tools and technologies to support our digital operational resilience efforts?
C-Suite executives is responsible for DORA policy implementation
Policy implementation is the responsibility of C-Suite executives. The CEO and his or her team must ensure that policies and procedures are in place to manage ICT risks effectively. To this end, they must allocate appropriate financial and non-financial resources to support ICT risk management and resilience initiatives.
To ensure implementation, the approach should be built on cross-functional collaboration. C-Suite executives should work closely with ICT managers, compliance officers, and other stakeholders to integrate ICT risk management into the organization's operations. And to follow up, it is useful to establish key performance indicators (KPIs) to monitor the effectiveness of ICT risk management strategies.
C-Suite executives should ask the CIO (or ICT managers) questions to confirm sound implementation, such as:
- How have we integrated DORA's requirements into our ICT risk management framework, and what specific changes have been implemented to align with these standards?
- What methodologies are we using to identify and assess ICT-related risks, and how do these align with DORA's guidelines?
- What are our current protocols for detecting and reporting ICT-related incidents, and how do they comply with DORA's incident reporting requirements?
- How are we assessing and managing risks associated with third-party ICT service providers to ensure their compliance with DORA?
- What due diligence processes are in place for selecting and monitoring these third-party providers, and can you provide examples of their application?
- Can you share the outcomes of recent penetration tests and explain how they have informed improvements in our ICT resilience?
- What specific training programs have we implemented to enhance staff awareness and capabilities regarding ICT risks and DORA compliance?
- Can you provide a breakdown of the budget and personnel dedicated to ICT risk management and resilience efforts?
The Chief Information Officer (CIO) must develop and maintain the DORA framework
Depending on the size of the financial institution, we are now getting close to where the actual DORA compliance work is done. It is the CIO’s responsibility to develop and maintain a robust ICT risk management framework. This framework must include risk identification, assessment, mitigation, and monitoring processes.
Incident management is key. Thus, the CIO should implement processes to detect, manage, and notify ICT-related incidents, ensuring compliance with DORA's reporting requirements. Since threats are always moving targets, it is important to regularly update ICT policies and procedures to address emerging threats and technological advancements. This work will be strengthened by ensuring that staff receive ongoing training on ICT security awareness and digital operational resilience.
To ensure the effective implementation of the ICT risk management framework, the CIO should collaborate closely with ICT managers who are more hands-on in day-to-day DORA compliance:
- Articulate the goals and importance of the ICT risk management framework to ICT managers, ensuring they understand its alignment with organizational objectives.
- Clearly define the roles and responsibilities of each ICT manager concerning risk management tasks, fostering accountability and ownership.
- Ensure ICT managers have access to the necessary tools, technologies, and personnel to effectively carry out risk management responsibilities, including penetration tests and due diligence of third-party ICT vendors.
- Provide ongoing training programs to keep ICT managers updated on emerging risks, regulatory changes, and best practices in risk management.
- Implement systems for ICT managers to regularly report on risk management activities, incidents, and mitigation efforts, facilitating timely decision-making.
A hands-on CIO may find it useful to read our checklist for DORA compliance.
ICT managers are responsible for daily operations related to DORA
ICT managers are responsible for daily operations that relate to DORA requirements. This includes overseeing the day-to-day management of ICT systems, ensuring their availability, integrity, and security. ICT managers are responsible for monitoring compliance with ICT policies and procedures, addressing any deviations promptly (incident management).
A key part of an ICT manager’s approach to DORA compliance is to maintain an up-to-date inventory of all information and ICT assets, including those provided by third-party service providers. Also, ICT managers need to conduct regular testing of business continuity and disaster recovery plans to ensure preparedness for potential disruptions.
Our checklist for DORA compliance is tailored to the everyday need of ICT managers.
Here is a list of activities that will help ICT managers help their financial institutions complying with DORA – reducing ICT risk and improving resilience:
- Understand DORA's scope and requirements: Determine which parts of DORA are relevant to your company, considering its size, services, and existing compliance status.
- Conduct a gap analysis: Compare your company's existing ICT risk management practices against DORA's requirements to identify areas needing enhancement.
- Develop an implementation plan together with your CIO: Focus on high-risk areas identified in the gap analysis. Clearly define roles and responsibilities, and set for team members involved in the compliance process.realistic deadlines.
- Enhance ICT risk management framework: Introduce necessary technical and organizational measures to manage ICT risks effectively.
- Strengthen incident reporting and management: Develop clear protocols for reporting major ICT-related incidents to competent authorities as required by DORA.
- Conduct digital operational resilience testing: Include vulnerability assessments and penetration testing, and keep detailed records of test outcomes and implement improvements based on findings.
- Manage third-party ICT risks: Assess the ICT risk management practices of third-party service providers. And, ensure contracts with third parties include clauses that address ICT risk management and compliance with DORA.
- Provide training: Programs should raise awareness about ICT risks and DORA compliance requirements among all employees.
- Monitor and review: Conduct internal audits to assess the effectiveness of implemented measures and ensure ongoing compliance.
What DORA is for third-party ICT vendors
Now, we are moving outside the financial institution – to its third-party fintech providers. Contractual compliance is at the center of what DORA is for an ICT vendor delivering fintech to a financial institution. Especially, third-party providers must adhere to contractual obligations related to ICT risk management and operational resilience as stipulated by financial entities.
Transparency is key for a third-party vendor. This includes providing necessary information to financial entities to facilitate their compliance with DORA requirements. Also, engage proactively with clients to address ICT risk management concerns and participate in resilience testing exercises. To these ends, it is important to understand DORA's implications and align services and contractual terms to support clients' compliance efforts.
