Four Hurdles of the EU’s Digital Operational Resilience Act

In the age where cyber attacks and other types of business disruptions are the norm rather than the exception, operational resilience has become a key focus of regulators to ensure financial firms of all sizes are prepared to respond to and recover from the evolving risk landscape.

The Digital Operational Resilience Act (DORA), which was published by the European Parliament in December 2022, is one of the most recent examples of this regulatory focus. This legislation aims to fortify European Union financial institutions’ ICT (Information and Communications Technology) stability and resiliency as they face increasing cyber threats. As such, DORA sets forth a comprehensive set of standards to ensure entities operating in the EU (those falling within the scope of the act are listed in its Chapter I, Article 2) are better equipped to prevent, respond and recover from cyber incidents and other disruptions.

The standards address five pillars, with multiple requirements falling under each:

1. ICT Risk Management

2. ICT-related Incident Management, Classification and Reporting

3. Digital Operational Resilience Testing

4. Managing of ICT Third-Party Risk

5. Information-sharing Arrangements

While it is not set to take effect until January 17, 2025, most firms will need to begin preparing now to ensure full compliance by that date.

Taylor Broshar

Although the sheer breadth of DORA can feel overwhelming, many of the requirements are not new, but rather already well-accepted risk management practices. DORA is largely just codifying them under a single EU regulatory framework.

However, there are four areas that will likely be new and challenging for many firms to navigate, regardless of maturity level. These will require more preparation and resources in terms of ICT expertise, time and personnel, for which many firms will likely want to lean on outside experts to guarantee compliance.

1. Executive ICT Responsibility and Accountability 

DORA transfers ultimate responsibility and accountability for managing ICT risks to executives and the board, which for many firms will require changes in decision-making policies and procedures (DORA Chapter II, Section I, Article 5).

This will demand greater involvement of executives and the board on ICT risk management, an area where they have traditionally played less of an active role. In turn, this is expected to create net new workstreams for executives as well as firms’ cyber risk experts, as they confront new responsibility and accountability structures for managing and overseeing ICT risks. To ensure a smooth transition and ease the burden on executives and their cyber risk leaders, firms should begin working to identify ownership, policies and processes for the following:

• Assigning ICT-related roles and responsibilities, including managing of ICT third-party providers.
• Formalizing regular collaboration on ICT risks and strategy between designated cyber risk role(s) and executives.
• Setting, approving, and regularly reviewing ICT risk management and operational resilience strategies, including business continuity plans (BCP) and disaster recovery plans (DRP),  on a defined cadence.
• Training and updating executives and board members on ICT risk management and operational resilience by internal or external cyber risk experts

2. Critical Third-Party Vendor Requirements and Oversight

DORA’s enhanced ICT third-party risk management requirements place new expectations on financial firms to ensure ICT vendor risks are managed across the entire vendor lifecycle, with a particular emphasis on critical third-party providers (CTPPs). Notably, the regulation introduces a first-of-its-kind Oversight Framework which gives regulators the authority to classify ICT third-party providers (TPPs) as “critical” based on specific criteria as well as oversee said CTPPs, including the authority to conduct ongoing monitoring, documentation requests, investigations, as well as issue remediation action steps and sanctions (Chapter V, Section II, Article 31).

Aaron Pinnick

Further, financial firms are instructed to develop and document exit strategies for CTPPs in the event of service failures or other disruptions to ensure continuity of services and operations.

These enhanced ICT TPP and CTPP requirements place added responsibility on both financial firms and their ICT vendors, posing potential implications for firms’ supply chains. It is important that firms begin to proactively evaluate and improve ICT third-party management processes and policies to align with DORA’s expectations. As a first step, financial firms should consider:

• Conducting an ICT TPP inventory and identifying critical vendors based on DORA’s criteria.
• Reviewing existing contracts to ensure DORA compliance.
• Evaluating current processes for assessing and monitoring ICT TPP risks.
• Updating due diligence of some and/or all ICT vendors in accordance with DORA.
• Developing exit strategies for CTPPs in accordance with DORA.
• Identifying backup vendors for CTPPs and/or opportunities for vendor consolidation to minimize the number of CTPPs and oversight required.

3. ICT Incident Reporting and Documentation

DORA’s incident reporting requirements introduce new obligations for financial firms to report to clients as well as the proper authorities with “undue delay” of any major ICT-related incident. Specifically, financial firms will be expected to report an initial notification, an intermediate report with detailed updates on the incident, as well as a final report, which includes a root cause analysis, impact assessment, and mitigation measures taken (Chapter III, Article 19).

While the time requirements and specific templates for reporting are still in committee, firms should consider the following to be better prepared: 

• Identifying role(s) and responsibilities for overseeing incident response (IR) across the organization and for monitoring as well as implementing DORA’s IR requirements.
• Developing processes to quickly alert clients of future incidents.
• Developing processes to quickly alert authorities of future incidents in accordance with DORA requirements.
• Testing incident response plans with table-top exercises.

4. Digital Operational Resilience Testing

DORA calls for a comprehensive testing program that includes a variety of tests and tools to evaluate ICT systems, people, processes and procedures for classifying and remediating identified issues. (Chapter IV, Article 25 lists possible tests firms should consider conducting, such as vulnerability assessments and scans, open-source analyses, network security assessments, gap analyses, physical security reviews, questionnaires, and scanning software solutions.)

At a minimum, financial firms are expected annually to conduct a range of tests on all “ICT systems and applications supporting critical or important functions.” Additionally, firms are expected to conduct advanced, threat-led penetration tests (TLPT) every three years, which should include ICT third-party providers as appropriate.

The testing requirements of DORA are one area of opportunity for firms to cut costs and outsource this requirement to create bandwidth for their own internal teams, as well as gain new insights from an independent perspective. Working with outside experts like ACA Aponix can help firms develop a testing strategy that fits their risk management strategy as well as DORA requirements. To get started, firms should consider:

• Conducting an inventory of tests currently conducted, including by whom and the frequency.
• Identifying gaps and/or opportunities for enhanced testing.
• Developing a threat-led penetration testing plan.
• Identifying independent service providers to conduct tests of ICT systems, people and processes.

Conclusion

To meet DORA’s more demanding requirements as outlined above requires significant preparation and planning, which is why it is critical that firms begin now. As with any new regulation, the first step is to conduct a gap/readiness assessment to understand where a firm’s existing program stands against DORA’s requirements. However, unlocking the necessary resource capacity (technical expertise, personnel, time, etc.) to fill the identified gaps can be a key obstacle for many firms.

Likewise, for firms that fall under other regulatory jurisdictions, ensuring risk programs are aligned to not only DORA but other cyber regulations, such as the Securities and Exchange Commission’s proposed Rule 206(4)-9, presents further challenges. (See SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure by Public Companies.) Leaning on outside expert advisors can help firms solve these challenges by freeing up already stretched resources while simultaneously meeting regulatory obligations in a more efficient and cost-effective manner.

Taylor Broshar is a Senior Research Analyst with ACA Aponix, where she helps lead the team's thought leadership initiative on the intersection of cybersecurity and the financial services sector as well as product development initiatives. She holds a Bachelor of Arts in Political Science from Central College and a Master of Public and International Affairs from the University of Pittsburgh. 

Aaron Pinnick is the Manager of Thought Leadership for ACA’s Aponix Program, where he creates research to ensure clients receive the latest and most critical information they need to manage risk and ESG responsibilities. He was previously a Managing Analyst for Ballast Research, providing government affairs leaders with insights into their reputation with policymakers; and a research director for Gartner’s Compliance and Ethics program. He holds a master’s degree in sociology from Texas A&M University and a bachelor’s in sociology from Minot State University.