DORA: your questions, answered
5 min read 13 June 2024
It’s not surprising that you have questions about the Digital Operational Resilience Act (DORA). It’s the EU’s most expansive digital risk regulation and the expectations on your firm are huge. You need to enhance your technology and cyber resilience, improve your risk and controls framework, and put information communication technology (ICT) risks high on the agenda of your board and executive committees. With a tall list of actions, where do you even begin?
To help, we’ve pulled together 10 of the most frequently asked questions by our clients to give you the answers you need.
What’s the definition of ICT according to the European Banking Authority (EBA); many references are to IT systems but how broad should we apply DORA?
If we look at the text verbatim, an ICT asset is a software or hardware asset in the network and information systems used by the financial entity. Put simply, all ICT systems that you use fall within DORA’s scope. You should approach each system with a risk-based approach, prioritising controls and monitoring those systems which are most critical or highest risk.
Who’s responsible for ICT risk management activities under DORA?
ICT risk management responsibilities tend to span the CIO, CTO, and COO with CISO input too. The second line of defence is also important in establishing a framework that’s effectively integrated with enterprise risk management structures. It should also provide appropriate review and robust challenge.
How can we effectively manage risks associated with ICT systems that may lack modern security features?
Generally, there are five actions that we’d recommend:
- Develop an inventory of ICT systems that support your firm’s critical or important functions (CIFs).
- Create criteria for assessing potential risks if your legacy ICT systems fail and what it means for your CIFs.
- Understand the likelihood of those risks and take a risk-based approach to mitigating risks across your legacy estate.
- Control and monitor risks and establish additional protective measures where possible and reviewing mechanisms to monitor vulnerabilities and threats.
- If the risks associated with legacy systems can’t be mitigated, then consider whether a replacement is needed.
What are the testing capability enhancements required by DORA?
You need to have a comprehensive testing framework. We think this should cover:
- Regular and thorough testing of ICT systems to identify vulnerabilities, ensure robustness, and verify the effectiveness of security controls.
- Scenario-based testing, including extreme but plausible events to guarantee systems can handle unexpected disruptions.
- Advanced threat-led penetration testing, including engaging in red-team exercises that simulate sophisticated cyberattacks to really test the resilience of your systems and identify weakness.
- Incident respond testing to measure the effectiveness of response plans through regular drills and tabletop exercises.
- Testing third-party systems and making sure your providers also rigorously test their ICT systems and processes to ensure your entire supply chain is resilient—especially where they support CIFs.
What level of oversight is expected of sub-contractor relationships?
Essentially, the more oversight, the better. You need to understand the impact of sub-contractor failure on the provision of ICT services supporting critical or important functions (CIFs). You need to be comfortable with the due diligence process the third-party performs over the sub-contractor relationship and the regularity of the risk assessments performed. And you also need to ensure you’re sufficiently notified in advance of material changes to sub-contracting arrangements and risk assess any changes to material sub-contracting arrangements, which should be subject to approval / non-objection.
How are firms integrating third-party risk management (TPRM) effectively into enterprise risk management frameworks (ERMF)?
TPRM needs to be integrated into your ERMF when you identify risks and when you require any new or adapted controls during your DORA implementation. As you probably already know, identifying and mapping CIFs is anchored to ICT risk ownership in the first line of defence. But your second line also needs sufficient expertise to discharge their responsibilities effectively. We’ve seen scenarios where specialist cyber risks skills are needed to complement existing capabilities in the risk function.
What’s the potential impact of an organisation using the services of a firm in scope of Article 33 (ie increased costs being passed on)?
The provisions of Article 33 fall on ICT suppliers, so the chance of significant costs being passed onto individual service users during implementation is unlikely. Service providers may need to increase their compliance and risk management resources, so we way see an incremental increase in critical software costs in the medium to long term. But this will depend on the maturity of rules, procedures, and mechanisms for IT risk that the service provider is responsible for.
Do we need an exit plan for each ICT service provider that supports a critical function?
Yes, you need a documented exit plan for each of your ICT third-party services providers supporting a CIF. We’ve seen a lot of firms failing to adequately define the service description and key dependencies on the third-party. It’s really important that you don’t overlook this step, and an information register can be a useful tool in tackling this area.
You should define the periodicity of the review and testing of exit plans, and this should be outlined in a policy. In some cases, it might even be beneficial to combine exit testing with testing other contingency plans to avoid duplication.
DORA talks about including contractual agreements around exit plans but what does that mean and what should we include in contracts?
You should consider exit planning throughout the entire third-party lifecycle to mitigate risks and ensure a seamless service transition. You should address it during supplier due diligence before contracting is even considered. You should assess alternative service providers, the impact of service disruption, and the risks of such disruption. During the contracting of supplier for critical services, you should include clear clauses defined for the provider in case of disruption, clear terms of contract termination, and supplier obligations in the event of an exit. These types of clauses aim to ensure your critical services aren’t disrupted and you’re protecting against bad outcomes.
Is there alignment between DORA requirements on ICT third-party providers and the proposed UK Critical Third-Party (CTP) regime?
The short answer is yes. Both CTP and DORA stem from concerns financial institutions have become highly dependent on third-party providers to such a degree that should those third parties face disruption, it could have adverse outcomes for customers and the stability of financial markets. Given this common concern, there’s naturally overlap in regulatory requirements between the UK and EU’s approach. Both focus on improving the risk management and governance of third parties that provide critical systems or services. And there’s a strong correlation between several themes, which could provide synergies for firms addressing both regulations.
Got more questions and need answers fast?
Getting your head around regulation isn’t always easy—especially when it’s as expansive as DORA. But our team of operational resilience and regulatory compliance experts are on hand to help.
We don’t believe in one-size-fits-all solutions. We help you focus on the right details—whether that’s simplifying your network of third-party dependencies, fine-tuning your ICT risk frameworks, or developing your testing capability. We act as an extension to your team embedding resilience at the core of your organisation to protect your biggest assets. And when we leave our capabilities stay because we upskill your people to build sustainable solutions faster, keeping you ready for the next wave of risk and regulation.
Our Experts
Related Insights
What's next for DORA?
For financial entities operating in the EU, the past year has been a sprint to the DORA compliance deadline—and the work isn’t over yet. We share our view on what's next.
Read moreCyber incident management: is your financial services firm ready?
Disruptive incidents are increasingly the norm. We outline three essential actions you must take to build your firm's risk readiness and resilience today.
Read moreYour roadmap for DORA day one compliance
With less than six months to go, the race to DORA compliance is on. Our day one roadmap identifies and prioritises critical actions you need to take within four of DORA's main pillars.
Read moreTurn DORA compliance into advantage
You might see it as a regulatory box-ticking exercise, but how you approach DORA could define a long-lasting approach that can significantly accelerate your response to other upcoming regulations.
Read moreRelated Client Stories
Delivering regulatory change for UK building society
How can a UK building society deliver regulatory change while ensuring a great customer experience?
Read moreKeeping large-scale capital investment on track
How do you independently assess the governance and maturity of a multi-billion program?
Read moreEquipping a UK building society to fight financial crime
How do you create a technology platform that can stay one step ahead of financial criminals?
Read moreUsing regulatory change as an opportunity to strengthen and rationalise internal controls
As UK regulators plan an Internal Controls and Governance directive, this major insurer seized the opportunity to achieve its long-term ambition.
Read moreAre digital and AI delivering what your business needs?
Digital and AI can solve your toughest challenges and elevate your business performance. But success isn’t always straightforward. Where can you unlock opportunity? And what does it take to set the foundation for lasting success?