Key Facts:

  • The Council of the EU and the European Parliament formally adopted the Digital Operational Resilience Act (DORA) on 28 November 2022. The legislation entered into force on 16 January 2023 and will apply from 17 January 2025.
  • The new regulation aims to harmonize existing legislation and supplement gaps to improve the overall operational resilience in the financial sector with respect to all kinds of IT-related threats.
  • While the new legislation introduces significant challenges for financial institutions, it also presents many opportunities.

For a long time, regulatory bodies have been warning companies in the financial industry about an increased threat from cyberattacks. Financial markets are critical infrastructure for society; without them, money does not flow, trade falters, and the economy comes to a standstill. This problem has been escalating, particularly since the outbreak of the Ukraine war.

To mitigate the risks of cyberattacks, the European Commission has developed an ambitious plan over the past two years – which includes the consolidation and supplementation of existing cyber regulations – called the Digital Operational Resilience Act, or DORA.

The objectives of DORA

DORA's objectives include embedding the existing protection mechanisms of financial institutions and their essential IT third-party providers into a coordinated security system, thus enhancing the digital operational stability of the entire industry. The EU Council and Parliament, in a press release from May 2022, expressed the goal as the "strengthening of EU-wide cybersecurity and resilience”. Financial institutions now have clear regulatory guidelines, and the directive for "cyber resilience" has been issued loud and clear. Compliance and risk managers must take the necessary steps for a swift and efficient implementation.

The benefits of teamwork

DORA emphasizes teamwork over individual efforts, focusing on both in-house information and communication technologies (ICT) and a central reporting system for early warning. And while adjustments and additional efforts are expected in both areas, DORA presents a significant opportunity for financial institutions to join forces to reduce the overall industry risk posed by cyber threats.

The promotion of teamwork over an individualistic approach is commendable. And financial institutions, which have significantly suffered from the effects of the COVID-19 crisis, including remote work and increasing cyberattacks in recent years, recognize this.

A tight implementation window and expansion of scope

To establish a common framework, the draft for a regulation on digital operational resilience in the financial sector was presented by the European Commission on 24 September 2020 and on 10 May 2022, a provisional agreement was reached between the co-legislators. The Council of the EU adopted the revised act on 28 November 2022 and the final version was published in the EU Official Journal on 27 December 2022. The regulation entered into force on 16 January 2023 and will be applicable from 17 January 2025.

With an implementation period of only two years, it’s important that all financial entities – including investment companies, banks, insurance companies, software providers and data storage solution providers – develop a concrete action plan to implement and comply with all requirements.

The DORA package aims to achieve three core goals:

  1. Unification of existing European and national standards;
  2. Ensuring sufficient protection against cyber risks; and
  3. Establishing a legal framework for the direct supervision of IT third-party providers.

Some of these goals are covered by existing regulations, especially regulatory requirements for banks, insurance companies, investment management companies, and payment and e-money institutions. However, DORA introduces significant modifications with, for example, the expansion of the scope to include not only banks, insurance companies, and payment service providers but also crypto-service providers. Small businesses with fewer than ten employees and two million euros in annual revenue are exempted. However, for all other financial institutions, understanding the DORA package in its depth is crucial, and action may be necessary.

Key obligations and points to focus on

Below is an overview of the potential impact on financial services companies:

  1. Leadership bodies are expected to take on more responsibility in steering ICT risk management and ensuring cyber hygiene. This will lead to fewer tasks being delegated to the "Second Line”.
  2. The standardization of ICT risk management will demand more transparency and heightened sensitivity from regulators. This, in turn, requires a common understanding and comparability of risks, leading to the standardization of metrics, parameters, and a common risk register.
  3. According to the regulation, institutions should respond to cyberattacks with standardized handling, classification, and reporting. The thresholds for the significance of reporting obligations are currently unclear, and a unified reporting form is being developed by the European Supervisory Authorities (ESAs), including the European Insurance and Occupational Pensions Authority (EIOPA), the European Banking Authority (EBA), and the European Securities and Markets Authority (ESME). Overall, it can already be stated that harmonizing ICT risk management with the framework and the overall market, considering all risks and scenarios, will become significantly more complex.

Increased complexity

In addition to internal risk management, regulations regarding the handling of IT third-party providers are also likely to pose significant challenges for many financial service providers. The ESAs, according to DORA, will take over the designation of criticality for IT third-party providers and will become the leading supervisory authority for these providers. With a stronger focus on ICT strategy and resilience, companies should increase their sensitivity to related risks and their effects, integrating third-party providers into ICT risk assessment.

Conclusion

Considering the DORA implementation deadline of 17 January 2025, it is clear that the new legislative package will serve as a major mediator for all individual resilience disciplines in financial institutions and their key ICT third-party providers. It demands coordination across IT operations, business continuity management, crisis management, outsourcing, and information risk and security management. All these resilience disciplines and their interfaces must follow unified guidelines to ensure optimal resilience in case of emergencies. Due to the ongoing increase in cyber threats, it is now more critical than ever for financial institutions to be prepared for incidents, to react effectively to them, and to be able to recover from them.

While the effort required to meet these requirements should not be underestimated, there is also an opportunity for the implementation of coordinated operational cyber resilience. Harmonization can be achieved, and potential duplication of work and overlaps can be avoided.

How can KPMG support you

  • KPMG provides a comprehensive professional repertoire that encompasses all relevant disciplines related to the DORA regulation. This includes management consulting, Information Security Management (ISM), Information Risk Management (IRM), Business Continuity Management (BCM), outsourcing, and cloud solutions. We are specialized in advising and supporting clients across these disciplines.
  • We possess a profound understanding of processes, risks, controls, and governance structures. Leveraging our expertise and know-how, we assist clients in implementing effective control mechanisms and risk management strategies.
  • Our extensive project experience with companies in the financial services industry has given us valuable insights and knowledge, allowing us to better comprehend our clients' challenges and requirements. Utilizing our proven process model, we apply these insights strategically and develop customized solutions tailored to the unique needs of our clients.
  • Benefiting from direct access to global expertise and experience through our corporate network, we collaborate closely with our international teams. This enables us to tap into a broad range of experience and expertise specifically tailored to the financial sector.
  • In addition to our technical and methodological expertise, we offer know-how for the implementation of tools. We support clients in implementing standard Governance, Risk, and Compliance (GRC) tools to efficiently manage risks and controls. Furthermore, we provide tools for the effective management of third-party providers and their contracts in the field of information technology.
  • In addition to our technical and methodological expertise, we offer know-how for the implementation of tools. We support clients in implementing standard Governance, Risk, and Compliance (GRC) tools to efficiently manage and control risks and controls. Furthermore, we provide tools for the effective management of third-party providers and their contracts in the field of information technology (ICT).