What You May Not Know About DORA – But You Should – Financial Services

European financial services firms will have less than 24 months to comply with the European Council’s Digital Operational Resilience Act (“DORA”) once it is made official later this year. Acting now has major benefits.

If you’re the IT manager of a European Union (“EU”) financial services company, you’ve no doubt had your eye on DORA for almost two years now. DORA – the Digital Operational Resilience Act – is expected to come into full force this fall after a review period that began in September 2020. When the law arrives, all financial services firms (“FS”) in the EU will have less than 24 months to strengthen their cybersecurity posture to comply with its new regulations.1

Now, if you’re on an SPO board or a senior executive, you might not have paid so much attention to DORA. And why should you? Isn’t DORA essentially a computer problem? Can’t your best techs handle compliance and testing?

You could go this route. But given the origins and intent of the new law, you may be seriously underestimating the significant compliance challenges. Additionally, you may be missing a unique strategic compliance opportunity that can benefit your organization. Indeed, DORA isn’t just about strengthening cybersecurity — it’s about building operational resilience across the enterprise.

Ask any IT manager about this last point and you’ll likely hear a mantra they’ve been preaching for a long time: cybersecurity and resilience must be an integral part of business implementation.

A focus on ICT

To better understand this point, let’s take a brief look at where DORA came from and its goals. For years, national governing bodies within the EU have exercised their own discretion when it comes to cybersecurity in financial services. This discretion has led to a patchwork of incident reporting processes and guidelines that have contributed to increased compliance costs for organizations.2

DORA harmonizes rules and regulations, aiming for consistency across the EU to maintain operations despite severe operational disruptions. Specifically, the EU hopes the new laws will help financial services firms better resist, respond to, and recover from threats to information and communication technology (“ICT”). Given the business imperatives of maintaining ICT, DORA aims to build stability and confidence in the financial system.3

DORA will have far-reaching implications. Here, we ask and answer questions related to the new regulatory framework that may be on the minds of boards and senior executives.

Q. How is DORA different from the current regulations under which my business operates?

A. It depends on the regulations of your governing body. But the important thing to know about DORA is that it is much more interventionist than any existing guidelines. And it’s far more prescriptive than anything that’s been published before. It bears repeating: The EU is focusing on the central role of ICT in the financial services sector. Thus, flaws and vulnerabilities in digital infrastructures are not just IT issues, but enterprise-wide issues. You will need to move away from “cyber compliance” to think about “cyber insurance”.

Q. Can’t we just wait about a year to start compliance?

A. You can, but getting ahead of a new law that is so burdensome and has severe penalties and consequences for non-compliance is in the best interests of many businesses. Banks and insurance agencies are already mobilizing enterprise-wide DORA initiatives this year.4 If you wait and just decide to tinker around the edges of your main rigs, it might seem less disruptive, but you’ll be adding a huge amount of extra infrastructure.

Q: We are not a financial services company, but we are partners. Does DORA apply to us?

A. Almost all financial entities will be subject to DORA. For example, third parties that provide ICT-related services to financial services companies, such as cloud platforms and data analytics services, must be compliant. And the European Council says that“[c]Major third-country ICT service providers to EU financial entities will be required to establish a subsidiary within the EU.”5

Q. What is one thing I might overlook when implementing DORA?

A. As noted, DORA has many requirements in all aspects of digital operational resilience. Have you considered, for example, how you will handle crisis communications if you experience a cyber incident while the law is in effect? It is mandatory under DORA to report all incidents, and having a plan ahead of time can mitigate reputational risk.6

Q. There are five key pillars associated with DORA (view sidebar). Which should I prioritize first?

A. All five are interdependent and must be tackled together. For the sake of space, this article presents only the “digital operational resilience test” pillar. The following articles will cover the remaining four pillars.

Q. Okay, tell me about digital operational resilience testing.

A. The pillar will require financial organizations to undergo regular testing by independent parties. Lawmakers are still working to clarify testing methodology and how multiple entities will recognize test results. But under the provisional agreement, the “penetration tests” are based on existing European initiatives such as TIBER-EUa framework that “mimics the tactics, techniques and procedures of real attackers, based on tailored threat intelligence”.sevenThe tests are tailor-made to simulate an attack on the critical functions of an entity and its underlying systems.

Q. Now that I know the pillar of testing, what is the most important thing I need to keep in mind when running a test program?

A. That he should focus on the customer. Since DORA aims to build stability and trust in financial systems, any digital operational resilience testing program must meet customer expectations.

Editor’s note: This is the first of three articles in which the FTI Journal examines DORA, the European Council piece of legislation that will strengthen regulation regarding information and communication technology (“ICT”) and cyber resilience in financial services companies. Here, the Journal provides information about the law and one of its five key pillars: digital operational resilience testing.

* FTI Consulting organizes DORA requirements into five key pillars; other sources may arrange them differently

Footnotes :

1: FTI Perspectives, “Overview of DORA for Permanent TSB (FTI Perspectives), April 2022, p.3

2: FTI Cybersecurity, “The Digital Operational Resilience Act (DORA): Key Questions Business Leaders Should Ask”,
FTI CouncilDecember 29, 2020, https://fticybersecurity.com/2020-12/the-digital-operational-resilience-act-dora-key-questions-business-leaders-should-be-asking/

3: Council of the EU, “Digital finance, provisional agreement reached on DORA”, 11 May 2022 https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital-finance-provisional-agreement-reached-on-dora/

4: Lafarge, Joanna Grove “What companies can expect from DORA,” Global Risk Regulator,” February 4, 2021,
https://www.globalriskregulator.com/Subjects/Reporting-and-Governance/What-firms-can-expect-from-DORA

5: Council of the EU, “Digital finance, provisional agreement reached on DORA”, 11 May 2022 https://www.consilium.europa.eu/en/press/press-releases/2022/05/11/digital-finance-provisional-agreement-reached-on-dora/

6: Moinuddin, Ali, “The Global Campaign for Improved Financial Sector Operational Resilience”, international bankerJune 7, 2022, https://internationalbanker.com/finance/the-global-drive-for-better-financial-sector-operational-resilience/

7: European Central Bank, “What is TIBER-EU?” https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html#:~:text=TIBER%2DEU%20is%20the%20European,carrying%20out%20a %20controlled%20cyberattack.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.