Quick glance.
The Digital Operational Resilience Act (DORA) is a critical regulation aimed at enhancing the operational resilience of the financial sector against cyber-attacks and ICT-related incidents. With the increasing reliance on technology, financial institutions face significant risks that can disrupt services and impact economies globally. DORA, enforced by the EU starting in 2023 with full compliance required by 2025, mandates comprehensive ICT risk management, incident reporting, resilience testing, and third-party risk management. This blog provides a structured approach to achieving DORA compliance, offering financial institutions practical guidance to navigate these requirements and strengthen their operational resilience.
Significance of DORA
The financial sector’s increasing dependence on technology and tech companies’ delivery of financial services is making it vulnerable to cyber-attacks or incidents. When not managed properly, Information and Communication Technology (ICT) risks can lead to disruptions of financial services across borders, leading to widespread economic impact. In the fast-evolving digital financial world, the importance of operational resiliency of the financial sector is a growing concern for global regulators.
Introduced in 2020, adopted by EU in 2022 and enforced starting 2023 DORA is a fast-moving regulation requiring implementation in 2025 with upcoming milestones for incident reporting and European Commission reviews.
Implications for Financial Institutions
DORA casts a wide net across all financial market participants, applying to a diverse range of entities including banks, credit and payment institutions, securities and trading firms, investment managers, insurance companies, rating agencies and all critical ICT third-party service providers.
1. ICT Risk Management & Governance
To address and manage ICT risk, Financial Entities (FEs) must set up and maintain ICT systems, tools & protocols that are appropriate to magnitude of operations in accordance with the proportionality principle.
2. Incident Reporting
Financial Entities (FEs) must establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling, and follow-up of ICT-related incidents & significant cyber threats to ensure that root causes are identified, documented, and addressed to prevent the occurrence of such incidents.
3. Digital Operational Resilience Testing
Financial Entities (FEs) must perform network security assessments, vulnerability Assessments, & Threat-Led Penetration Testing. The frequency & scope must be commensurate with entity’s Size & complexity.
4. ICT Third Party Risk Management
Financial Entities (FEs) must maintain and update at entity level, and at sub-consolidated and consolidated levels all contractual arrangements with clear articulation of rights and obligations of the financial entity and of the ICT third-party service provider for all ICT services within their remit.
5. Information Sharing
Financial Entities (FEs) may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools within trusted communities of FEs and public authorities.
7 steps to DORA Compliance
The pervasive nature of this act combined with the complexities of IT environments of financial institutions requires a structured, proactive, and methodical approach by financial companies to achieve compliance efficiently and with the least impact to business. We recommend a seven-step approach to enhance IT environment and work towards compliance:
- Develop clear understanding of DORA compliance requirements and how they apply to their business processes and IT environment.
- Gap Assessment of current state vs the desired state of risk framework, policies, processes, systems and controls and development of mitigation plan.
- Comprehensive implementation plan to address the gaps and strengthen ICT risk framework, incident response, resilience testing and third-party risk management.
- Technology integration to ensure most effective and efficient solutions through the usage of fit-for-purpose GRC tools and operations management platforms.
- Comprehensive resiliency testing strategy including vulnerability assessment, penetration testing, scenario testing and third-party resiliency.
- Continuous monitoring of regulatory changes, disciplined resiliency testing and improvements to ICT risk framework based on industry best practices.
- Establish a culture of digital resilience in the organization through learning & development and HR practices.
Coforge DORA Compliance Framework
Coforge has created a customizable three-pillar framework for our clients to approach each component of compliance obligations systematically, make incremental progress and demonstrate progress towards compliance.
The first pillar is about assessing the current state against the DORA requirements and produce the exhaustive mitigation plan for the gaps identified through a comprehensive review of ICT risk policies, framework, processes, systems, and controls.
The second pillar is the execution phase where we support our clients to achieve the desired state through implementation of controls, systems, data management, testing and governance. We leverage our strong technology expertise to provide AI based strategies for implementing a cost-effective, efficient, and sustainable technology solution.
The final assurance pillar provides for a post-facto evaluation of the ICT ecosystem to ensure that gaps have been mitigated and the compliance to five DORA principles can be achieved.
We will partner with our clients to develop their customized compliance strategy and implementation plan, support platform implementation through our IT expertise and extensive partner network, provide assurance through our comprehensive testing services and help create the organization ecosystem for a strong resilience culture and governance.
The Way Forward
At Coforge, we understand the complexities of DORA compliance and offer a comprehensive approach to guide our clients through every stage of their compliance journey. Our several years of operational risk management experience combined with our innovative technology offerings enable us to provide end-to-end DORA compliance solutions to our clients including regulatory advisory, risk assessment, program management, technology implementation, control testing and compliance assurance.
We look forward to engaging with banks and financial institutions and provide them an overview of our DORA compliance framework, help them map the compliance obligations relevant to their organization and create a full customized solution for achieving compliance to this cornerstone regulation.
Global Financial Services leader, with 25+ years track record delivering regulatory risk and compliance programs in banking and asset management in the US, UK, Europe and Asia. As country CRO (Wells Fargo) and Head of Risk (Natwest, Credit Suisse), established Risk centres of excellence in India, Poland and Philippines.
Seasoned Financial Markets Professional with over 25+ years of experience spanning across front to middle office in – Equities & Derivatives trading, Financial Risk Management (Market / Credit Risk – Basel Regulations), Investments & Wealth Management. He has extensive experience in building teams and delivering solutions in Risk Data Management & Analytics stream for global BFS
Related reads.
About Coforge.
We are a global digital services and solutions provider, who leverage emerging technologies and deep domain expertise to deliver real-world business impact for our clients. A focus on very select industries, a detailed understanding of the underlying processes of those industries, and partnerships with leading platforms provide us with a distinct perspective. We lead with our product engineering approach and leverage Cloud, Data, Integration, and Automation technologies to transform client businesses into intelligent, high-growth enterprises. Our proprietary platforms power critical business processes across our core verticals. We are located in 23 countries with 30 delivery centers across nine countries.