Understanding DORA: The EU's Digital Operational Resilience Act

Introducing DORA

The European Union (EU) is taking an important step towards safeguarding the financial landscape with the Digital Operational Resilience Act (DORA), an initiative that falls into the new Digital Finance Strategy with the specific focus of addressing how financial firms should manage digital risk. This piece of legislation was introduced on 16 January 2023, giving financial entities two years to become compliant when it comes into effect on 17 January 2025.

This is a change that Enterprise Architects and CIOs in the financial sector will want to pay attention to. DORA represents a major shift in regulatory requirements, mandating robust cybersecurity measures and contingency plans for both financial institutions and their third-party service providers.

DORA is more than just regulatory compliance. Enhanced digital operational resilience fosters a more secure financial ecosystem, protecting sensitive customer data, boosting consumer confidence, and minimizing systemic risk. By proactively preparing for DORA, businesses can not only ensure compliance but also gain a competitive advantage in the evolving financial landscape.

Learn how the Ardoq platform is empowering financial institutions with their digital transformations and resilience, including preparing for DORA compliance: How Enterprises are Using Ardoq to Support DORA

What Is the Digital Operational Resilience Act, and Why Is It Important?

DORA establishes a robust regulatory framework that aims to prevent, detect, and respond to cyber threats and operational disruptions. Here's a light overview:

• Focus on Risk Management: DORA requires establishing a comprehensive ICT risk management framework involving vulnerability assessments, mitigation strategies, and ongoing monitoring.
• Third-Party Scrutiny: Financial institutions must conduct thorough due diligence and potentially onboard only DORA-compliant third-party providers to strengthen the overall security posture.
• Incident Response and Testing: DORA mandates periodic digital operational resilience testing capabilities and requires the implementation of management systems to monitor and report significant ICT-based incidents to the relevant authorities.

Entities Impacted by the DORA Regulation

The Digital Operational Resilience Act applies to a wide range of financial institutions, including banks, payment service providers, and critical infrastructure providers within the financial sector. Additionally, any third-party service providers delivering Information and Communication Technology (ICT) services to these financial institutions fall under DORA's purview. KPMG has a detailed list of entities impacted by DORA.

Safeguarding Our Financial Future: Why is DORA Needed?

Modern finance thrives on robust digital infrastructure. Banks, payment services, and investment firms rely heavily on technology to deliver core services. From secure online banking platforms to real-time transactions, these systems underpin the smooth functioning of the financial ecosystem.

This dependence on technology brings inherent risks. Cyberattacks are a constant threat, with the potential to cripple financial operations, compromise sensitive data, and erode consumer confidence. Additionally, IT disruptions caused by technical failures or natural disasters can have equally devastating consequences.

According to a Lloyds of London scenario analysis,

“If a cyber attack on a major financial services payment system were to take place, the global loss could reach $3.5 trillion over a five-year period.”

DORA has been introduced in an attempt to mitigate this tremendous potential cost to organizations and to the larger economy, while also safeguarding the security and privacy of individual citizens and the services upon which they rely.

The Benefits of Compliance With DORA

In 2020, the FBI determined that business email compromise remains the most significant cyber threat. The UK’s National Cyber Security Centre (NCSC) also warned about phishing campaigns and issued guidance that includes deploying the global industry standard protocol, DMARC, as the first line of defense. 

Businesses, however, generally have been slow to address significant cyber threats. While DORA presents challenges for IT leaders in the financial sector, it also brings the opportunity to address potential security weaknesses. Though implementing DORA provisions requires effort, the benefits are substantial:

• Enhanced security: DORA compels financial institutions to adopt robust cybersecurity measures, which translates to a more secure financial ecosystem as a whole. A more secure financial environment protects valuable data, and fosters trust with customers.
• Reduced systemic risk: DORA promotes proactive risk management and incident response planning. Increased resilience enables financial institutions to better withstand disruptions and recover faster from unforeseen crises, minimizing their economic impact.
• Competitive advantage: DORA fosters a more secure and resilient financial landscape. By demonstrably prioritizing digital operational resilience, financial institutions can boost consumer trust in the financial services they rely upon and gain a competitive edge.

The Main Provisions of DORA

The EU's Digital Operational Resilience Act (DORA) establishes a comprehensive framework to strengthen the digital resilience of the financial sector. DORA's regulatory framework rests upon five key pillars:

1. ICT Risk Management:

This pillar focuses on establishing a robust and consistent approach to managing risks associated with ICT. DORA mandates financial institutions to develop a comprehensive ICT risk management framework. This framework should include:

• Risk Identification: Identifying potential threats and vulnerabilities across the entire ICT infrastructure and operations.
• Risk Assessment: Evaluating the likelihood and potential impact of identified threats.
• Risk Mitigation: Implementing appropriate controls and safeguards to minimize identified risks.

2. ICT-related Incident Management, Classification & Reporting:

This pillar introduces a structured approach to identifying, managing, and reporting ICT-related incidents. Key aspects include:

• Incident Management Framework: Establishing clear procedures for detecting, investigating, and responding to ICT-related incidents.
• Incident Classification: Categorizing incidents based on severity and potential impact to facilitate timely and appropriate response measures.
• Incident Reporting: Implementing clear protocols for reporting major ICT-related incidents to the relevant supervisory authorities.

3. Digital Operational Resilience Testing:

This pillar emphasizes the importance of proactively testing and verifying an institution's ability to withstand and recover from disruptions. DORA mandates:

• Vulnerability Assessments: Regularly assessing vulnerabilities in ICT systems and infrastructure.
• Penetration Testing: Conducting simulated cyberattacks to identify weaknesses and assess the effectiveness of cybersecurity controls (including "threat-led" penetration testing that considers real-world attacker tactics).
• Incident Response Drills: Testing incident response plans and procedures to ensure effective response and recovery in case of actual disruptions.

4. ICT Third-Party Risk Management:

Recognizing the interconnectedness of the financial ecosystem, DORA also focuses on managing risks associated with third-party ICT service providers. Key elements include:

• Third-Party Due Diligence: Conducting thorough assessments of the cybersecurity practices and risk management posture of third-party service providers.
• Contractual Safeguards: Incorporating contractual clauses that obligate third-party providers to maintain adequate cybersecurity standards and comply with relevant DORA requirements.
• Oversight Mechanisms: Implementing processes to monitor the performance and adherence to cybersecurity best practices by third-party providers.

5. Information Sharing Arrangements:

This pillar aims to foster collaboration and information exchange within the financial sector to combat cyber threats more effectively. DORA encourages:

• Sharing of Threat Intelligence: Sharing information about identified threats and vulnerabilities among financial institutions and relevant authorities.
• Collaboration on Best Practices: Collaborating on developing and implementing best practices for digital operational resilience across the financial sector.

By implementing these five pillars, DORA fosters a holistic approach to managing digital operational risks and building a more secure and resilient financial ecosystem in the European Union.

The unique aspect of the DORA regulation is its introduction of a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).

The Timeline for DORA EU Implementation

Here are the key dates of DORA’s Implementation in the EU:

• November 2022: DORA was formally adopted by the European Union, marking the official starting point for the implementation process.
• 16 January 2023: Entry into force of DORA.
• 29 September 2023: Following the call for advice on criticality criteria and fees, the European Supervisory Authorities (ESAs) published their response.
• 17 January 2024: ESAs published the first set of rules under DORA for ICT and third-party risk management and incident classification.
• 12 March 2024: The ESAs published joint feedback on the second batch of DORA policy products, addressing areas like oversight of critical third-party providers, penetration testing, and major incident reporting.
• 17 July 2024: Expected delivery of the second batch of policy products.
• 17 January 2025: DORA comes into full effect. Financial institutions and relevant third-party service providers must be compliant with the Act's requirements by this date.

Milestones for Financial Sector Preparation for DORA Compliance

• Ongoing: Financial institutions should familiarize themselves with DORA's objectives and key provisions. This includes reviewing the official EU documents and available resources from relevant supervisory authorities.
• From now until September 2024: Financial institutions should conduct gap assessments to identify areas where existing policies and practices need to be adjusted to meet DORA's requirements. They need to develop a DORA compliance roadmap based on the published RTS and ITS. This roadmap should prioritize actions and establish deadlines for achieving compliance.
• Between September 2024 and January 2025: Financial institutions to implement according to their DORA compliance roadmap. This may involve activities like:
  • Updating risk management frameworks to align with DORA's requirements.
  • Conducting due diligence and potentially renegotiating contracts with third-party service providers to ensure their compliance with DORA.
  • Developing and testing incident response plans and reporting procedures.
  • Training staff on DORA requirements and new operational procedures.
  • Conducting internal audits to ensure compliance with DORA's provisions.
• By January 17, 2025: Financial institutions should be fully compliant with DORA's requirements. This includes having established risk management frameworks, robust incident response plans, and procedures for reporting major ICT-related incidents.

Financial institutions should stay updated with official announcements from the EU and relevant supervisory authorities for any changes to the timeline or specific requirements.

DORA’s Impact on Financial Entities

DORA represents a significant shift for financial institutions. Here's how it will impact operational practices:

• Focus on Risk Management: DORA mandates a proactive approach to cybersecurity. Financial institutions will need to establish dedicated teams or invest in expertise to effectively implement and maintain a comprehensive ICT risk management framework.
• Third-Party Scrutiny: DORA emphasizes the role of third-party providers in ensuring digital resilience. Financial institutions will need to conduct thorough due diligence, implement contractual safeguards, and potentially onboard only DORA-compliant service providers.
• Enhanced Reporting: DORA establishes clear reporting protocols for major ICT-related incidents. This will require financial institutions to develop robust incident detection and reporting capabilities.
• Regular Testing: DORA mandates regular vulnerability assessments, penetration testing, and incident response drills. This necessitates investment in specialized security tools and expertise.
• Increased Transparency: DORA fosters a culture of transparency within financial institutions. Supervisory authorities will have increased oversight, requiring clear communication regarding risk management practices and incident response plans.

However, these changes come with substantial benefits, not just for individual institutions but for the entire financial ecosystem:

• Improved Consumer Protection: Enhanced digital resilience translates to a more secure financial environment, safeguarding sensitive customer data and boosting consumer confidence.
• Reduced Systemic Risk: DORA strengthens the financial sector's overall resilience, minimizing the impact of cyberattacks and operational disruptions on the broader economy.
• Competitive Advantage: By demonstrably prioritizing digital operational resilience, financial institutions can gain a competitive edge by fostering trust and attracting new customers.

Implementing DORA in Organizations

If your organization will be impacted by DORA, here's what needs to be done to prepare for the legislation to come into effect:

• Assess Current State: Evaluate the existing cybersecurity infrastructure and risk management practices. Identify gaps and areas requiring improvement.
• Develop a DORA Compliance Strategy: Establish a roadmap for implementing the necessary changes, including the development of a risk management framework, vendor management processes, and incident response procedures.
• Invest in Resources: Secure the necessary budget and personnel to execute the DORA compliance plan. Explore potential partnerships with security specialists to bridge any skill gaps.

How Enterprise Architecture Can Lead the Charge in Large Organizations

The EU's Digital Operational Resilience Act (DORA) significantly affects the financial sector, demanding a paradigm shift in how large organizations approach cybersecurity and operational resilience. While the Act lays a comprehensive foundation, successfully implementing DORA requires a strategic and coordinated effort. This is where Enterprise Architecture (EA) steps in, playing a crucial role in navigating DORA's complexities and ensuring long-term compliance.

The Role of Enterprise Architecture in DORA Compliance

Enterprise Architecture provides a holistic view of an organization's IT landscape, encompassing applications, data, infrastructure, and business processes. This unique perspective makes EA ideally suited to spearhead DORA implementation within large organizations. Here's how:

• Gap Analysis: EA can conduct a comprehensive gap analysis to identify discrepancies between existing practices and DORA's requirements. This analysis will highlight areas for improvement in risk management, incident response, and third-party management.
• Mapping ICT Infrastructure: A well-defined EA blueprint can greatly aid road mapping for DORA compliance, allowing organizations to map their ICT infrastructure and identify potential vulnerabilities across the entire technology stack. This comprehensive view facilitates targeted risk mitigation strategies.
• Standardization and Consistency: DORA emphasizes the need for consistent risk management practices across the organization. EA can play a vital role in standardizing processes, ensuring consistent control application, and streamlining compliance efforts.
• Change Management: DORA implementation will undoubtedly necessitate changes in IT processes and potentially organizational structures. EA can act as a bridge between technical and business stakeholders, facilitating effective change management and user adoption of new practices.

How Enterprise Architecture Supports Digital Resilience

Beyond DORA compliance, EA fosters a culture of digital resilience within large organizations.  EA provides the organizational and process awareness to follow regulations, a strong technical foundation to scale, and the insights to support innovation and new opportunities. 

Here are some key ways EA contributes to digital resilience:

• Alignment with Business Strategy: EA ensures that IT infrastructure and processes are aligned with the organization's overall business strategy. This alignment strengthens operational resilience by ensuring technology supports core business functions and facilitates swift adaptation to unforeseen disruptions.
• Visibility and Transparency: A robust EA model provides clear visibility into the organization's technological landscape, including dependencies and potential weaknesses. This transparency allows for proactive risk identification and mitigation strategies, bolstering overall resilience.
• Process Optimization: EA fosters continuous improvement of IT processes by identifying redundancies and inefficiencies. Streamlined processes translate to a more agile and adaptable organization, better equipped to respond to disruptions and maintain operational continuity during crises.

Combining EA with collaborative business process management sets up a common language throughout a company, so more informed decisions become the norm. Agility is easier when you can see how changes in any one area affect others.

A Collaborative Approach Is Key

Implementing DORA and building digital resilience require collaboration across various departments. EA can act as a central hub, facilitating communication and information sharing between IT, security, risk management, and business units. This collaborative approach ensures a holistic and coordinated effort toward achieving DORA compliance and fostering a culture of digital resilience within the organization.

By leading DORA implementation and improving digital resilience, Enterprise Architecture can empower large organizations in the financial sector to navigate the evolving regulatory landscape and thrive in an increasingly complex digital landscape.

How Enterprises are Using Ardoq to Support DORA

Ardoq is a cloud data platform with almost limitless flexibility. It is a future-proof solution that will evolve as organizational requirements inevitably change. It leverages powerful graph technology to turn data and architectural models into actionable insights, real-time dashboards, and dynamic visualizations. It’s designed to help organizations understand the relationships between people, processes, technology, and data and use this knowledge to reach their goals and strategic objectives.

A more specific answer to "What is Ardoq?" is that it's a platform with almost limitless flexibility, a future-proof solution that will evolve as organizational requirements inevitably change with time. It includes out-of-the-box solutions that enable customers to quickly realize value from their EA practice. Managing regulatory compliance is one of the many areas in which Ardoq can deliver value and ease normally painful processes.

"Organizations are seeking robust solutions that not only streamline their reporting processes but also ensure they are in full alignment with the stringent requirements of regulatory frameworks. While compliance is an urgent priority, there is also a growing awareness that speedy, efficient compliance is a strategic advantage in today's complex financial landscape.”
- Ralph Berg, EU VP of Sales at Ardoq

One of the companies already leveraging Ardoq to prepare for DORA is a Norwegian pension company. They have used Ardoq Discover to prepare criticality assessments for the business and their applications.

"We've gained significant momentum using Discover, partly due to requirements outlined in the EU's DORA regulation, which mandates criticality assessments for both the business area and underlying applications. The solution has performed very well, even for non-technical users."
- Chief Enterprise Architect

Ardoq currently counts numerous financial service companies as customers, including MUFG, OMERS, IG Group, and WSECU. They have leveraged the unique flexibility of the Ardoq platform towards key business goals such as:

• Conducting a technology health check
• Future-proofing the organization by leveraging EA as part of their key management strategy
• Digital business management to improve their overview and drive innovation
  
  

“One of Ardoq’s strengths is easing the pain of compliance. The collaborative features and flexibility of the platform make it adaptable to the specific needs of different regulatory frameworks, including DORA. Our newly released Application Risk Management solution touches on some of the provisions detailed in DORA and could be expanded to address its full requirements.”

- Sean Gibson, Senior Enterprise Architect at Ardoq

See what solutions the Ardoq platform offers for the financial services industry, surpercharging transformation to meet customer expectations.

Conclusion

DORA marks a crucial step towards a more secure and resilient financial landscape in the European Union. Its provisions will reshape the operational practices of financial institutions, requiring a proactive approach to cybersecurity and risk management. With the January 2025 deadline approaching, now is the time for CIOs within the financial sector to initiate or accelerate their DORA compliance journey. By taking immediate action, financial institutions can ensure they are well-positioned to navigate the evolving digital threat landscape and contribute to a more secure and stable financial ecosystem.

To learn more about how Ardoq can support compliance and risk management, see our latest solution for Application Risk Management or get in touch for a demo.