The Digital Operational Resilience Act (DORA) is a critical regulation aimed at enhancing the operational resilience of the financial sector against cyber-attacks and ICT-related incidents. With the increasing reliance on technology, financial institutions face significant risks that can disrupt services and impact economies globally. DORA, enforced by the EU starting in 2023 with full compliance required by 2025, mandates comprehensive ICT risk management, incident reporting, resilience testing, and third-party risk management. This blog provides a structured approach to achieving DORA compliance, offering financial institutions practical guidance to navigate these requirements and strengthen their operational resilience.
The financial sector’s increasing dependence on technology and tech companies’ delivery of financial services is making it vulnerable to cyber-attacks or incidents. When not managed properly, Information and Communication Technology (ICT) risks can lead to disruptions of financial services across borders, leading to widespread economic impact. In the fast-evolving digital financial world, the importance of operational resiliency of the financial sector is a growing concern for global regulators.
Introduced in 2020, adopted by EU in 2022 and enforced starting 2023 DORA is a fast-moving regulation requiring implementation in 2025 with upcoming milestones for incident reporting and European Commission reviews.
DORA casts a wide net across all financial market participants, applying to a diverse range of entities including banks, credit and payment institutions, securities and trading firms, investment managers, insurance companies, rating agencies and all critical ICT third-party service providers.
1. ICT Risk Management & Governance
To address and manage ICT risk, Financial Entities (FEs) must set up and maintain ICT systems, tools & protocols that are appropriate to magnitude of operations in accordance with the proportionality principle.
2. Incident Reporting
Financial Entities (FEs) must establish appropriate procedures and processes to ensure a consistent and integrated monitoring, handling, and follow-up of ICT-related incidents & significant cyber threats to ensure that root causes are identified, documented, and addressed to prevent the occurrence of such incidents.
3. Digital Operational Resilience Testing
Financial Entities (FEs) must perform network security assessments, vulnerability Assessments, & Threat-Led Penetration Testing. The frequency & scope must be commensurate with entity’s Size & complexity.
4. ICT Third Party Risk Management
Financial Entities (FEs) must maintain and update at entity level, and at sub-consolidated and consolidated levels all contractual arrangements with clear articulation of rights and obligations of the financial entity and of the ICT third-party service provider for all ICT services within their remit.
5. Information Sharing
Financial Entities (FEs) may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools within trusted communities of FEs and public authorities.
The pervasive nature of this act combined with the complexities of IT environments of financial institutions requires a structured, proactive, and methodical approach by financial companies to achieve compliance efficiently and with the least impact to business. We recommend a seven-step approach to enhance IT environment and work towards compliance:
Coforge has created a customizable three-pillar framework for our clients to approach each component of compliance obligations systematically, make incremental progress and demonstrate progress towards compliance.
The first pillar is about assessing the current state against the DORA requirements and produce the exhaustive mitigation plan for the gaps identified through a comprehensive review of ICT risk policies, framework, processes, systems, and controls.
The second pillar is the execution phase where we support our clients to achieve the desired state through implementation of controls, systems, data management, testing and governance. We leverage our strong technology expertise to provide AI based strategies for implementing a cost-effective, efficient, and sustainable technology solution.
The final assurance pillar provides for a post-facto evaluation of the ICT ecosystem to ensure that gaps have been mitigated and the compliance to five DORA principles can be achieved.
We will partner with our clients to develop their customized compliance strategy and implementation plan, support platform implementation through our IT expertise and extensive partner network, provide assurance through our comprehensive testing services and help create the organization ecosystem for a strong resilience culture and governance.
At Coforge, we understand the complexities of DORA compliance and offer a comprehensive approach to guide our clients through every stage of their compliance journey. Our several years of operational risk management experience combined with our innovative technology offerings enable us to provide end-to-end DORA compliance solutions to our clients including regulatory advisory, risk assessment, program management, technology implementation, control testing and compliance assurance.
We look forward to engaging with banks and financial institutions and provide them an overview of our DORA compliance framework, help them map the compliance obligations relevant to their organization and create a full customized solution for achieving compliance to this cornerstone regulation.