Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
Bedrock Managed Service
Scalable support and on-demand expertise that seamlessly integrates with your existing operations.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Partners
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Careers
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Blogs
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
15 September 2023

DORA – Digital Operational Resilience for the Financial Services Sector

 

The complexities of the digital age and our increasing reliance upon interconnected ICT systems necessitates a robust approach to risk. This is especially true for the Financial Services sector, where global fiscal systems now depend heavily upon digital tools for their basic daily operations.

These digital tools have facilitated an intricate web of cross-border networks; no longer impeded by geographical boundaries, our transactions have come to be made with much increased speed and accuracy. But like any system, increased complexity means increased vulnerability, and an ever expanding threat landscape to get to grips with.

Recognising this, the European Union has introduced new legislation specifically for Europe’s Financial Services Sector: The Digital Operational Resilience Act, a.k.a. DORA.

What is DORA?

DORA is a regulatory framework, implemented with the purpose of consolidating and upgrading existing EU legislation on digital operational resilience within the finance sector. It was introduced by the EU in December of 2022, but will come into force officially on the 17th of January 2025.

Much like the already introduced NIS 2 legislation, DORA aims to enforce a minimum viable level of cyber security and digital operational resilience across all in-scope entities, combatting any 'weak links' across the Union's financial services sector that could be exploited by malicious actors.

Each EU member state is expected to implement their own legislation in response to this directive, meaning there may be regional variations in the specificities of the regulation. The requirements laid out by DORA at the Union level, though, do provide us with an idea of what to expect overall. Industry best practice is laid out in a holistic manner, encompassing areas such as risk management, third-party risk, incident management, reporting requirements, and testing structures.

In terms of penalties in case of non-compliance, DORA outlines two sets of penalties – those for the financial entities themselves, and those for the ICT third-party service providers.

  1. Financial Services Entities – DORA does not specify the exact fines or sanctions for in-scope entities, but instead provides competent authorities ‘all supervisory, investigatory and sanctioning powers necessary to fulfil their duties’. This means that penalties for non-compliance will be determined by EU member states in their own implementations of DORA.
  2. ICT third-party service providers – As outlined in Article 35, Overseers can impose a periodic penalty payment for non-compliance of up to 1% of the ‘average daily worldwide turnover of the critical ICT third-party service provider in the preceding business year’ for up to 6 months.

Why is it needed?

Like many sectors, financial services have observed a transition towards heavy reliance on ICT and digital technologies for the running of day-to-day operations.

The criticality of these applications varies, but in many cases, they are responsible for keeping our international economic, banking, and data reporting structures afloat. With so much of our financial systems now relying on these technologies, the risk profile of the entities involved has rapidly expanded. The interconnectivity of financial systems in the EU means a breach in one area may have a significant knock-on effect for the rest of the sector, resulting in widespread disruption and market strain. DORA's role is to provide a practical and security-driven framework that serves to mitigate the risk posed to these critical systems, in turn strengthening the Union's operational resilience in the face of breaches, threat actors, and digital disruption.

What you need to know

DORA outlines requirements in several key areas, taking into consideration the whole IT risk management lifecycle. We've pulled out a few key points below:

  1. ICT Risk Management - This section mandates the need for an 'internal governance and control framework' and 'comprehensive and well-documented’ risk management framework. There are also obligations to maintain effective protection and prevention programmes, as well as incident detection and disaster recovery protocols. Proper communication structures are required, as are backup/restoration policies and procedures.
  2. ICT-Related Incident Management, Classification and Reporting - DORA specifies the mechanisms for incident response, as well as laying out a framework for incident classification and severity rating. It then outlines reporting obligations, which include the need to report any major incident to the relevant competent authority. There are also stipulations regarding the notification of affected clients.
  3. Digital Operational Resilience Testing – Financial entities will be expected to build a robust testing regime, designed to ‘identify weaknesses, deficiencies and gaps’ within their digital operational resilience. This includes the testing of ICT tools and systems using a risk-based approach, considering both the broader and localised risk landscape. These tests must be undertaken by internal or external independent parties, and any issues found as a result must be remedied following identification. The regulation goes on to specify a requirement for some entities to conduct Threat Led Penetration Testing (TLTP) of their ICT tools and systems.
  4. Managing of ICT Third-Party Risk - This is one of the more extensive chapters of the legislation and outlines how the management of third-party risk should be integrated into risk-management frameworks. DORA notes in Article 28 (5) that ‘financial entities may only enter into contractual arrangements with ICT third-part service providers that comply with appropriate information security standards’. The regulation’s focus on supply-chain risk goes as far as to outline key contractual provisions, circumstances for contractual termination, and even establishes an Oversight Forum with dedicated supervisory powers for critical third-party providers.

It is also worth noting that the four overarching DORA requirements outlined above do constitute industry best practice, and as such are also outlined in many similar legislative obligations introduced by other nations, for example the SEC/FTC cyber security updates in the United States.

Who it will affect

Legislators have outlined clearly within DORA the kinds of institutions within scope of the legislative obligations. While there are a few noted exceptions to these categories, the in-scope entities are as follows:

 

Credit Institutions Management Companies
Payment Institutions Data Reporting Service Providers
Account Information Service Providers Insurance and Reinsurance Undertakings
Institutions for Occupational Retirement Provision Insurance Intermediaries, Reinsurance Intermediaries, and Ancillary Insurance Intermediaries
Investment Firms Electronic Money Institutions
Crypto-Asset Service Providers Credit Rating Agencies
Central Securities Depositories Administrators of Critical Benchmarks
Central Counterparties Crowdfunding Service Providers
Trading Venues Securitisation Repositories
Trade Repositories  ICT Third-Party Service Providers
Managers of Alternative Investment Funds  

 

Conclusion

It is important to note that DORA is not just a one-off compliance exercise, but an ongoing obligation that for some may require a fundamental overhaul of current processes. The adoption of robust digital operational resilience frameworks necessitates C-suite-level investment and board-level sponsorship of integrated risk approaches across the organisation. Increased EU supervisory activities will necessitate a solid foundation in risk management, encouraging a divergence from reactionary practices driven by breaches and compliance.

While the controls we operate for cybersecurity must be applied, DORA (like many of its global cousins) helps to highlight the need to take security seriously and to turn the conversation from ‘what’s the cost of security’ to ‘what’s the cost of failing to secure’.