Digital Operational Resilience Act

Companies must be able to continue to operate stably even during an ICT incident. How you can implement the requirements and KPMG can support you.

Companies must be able to continue to operate in a stable manner even during an ICT incide

1000

The Digital Operational Resilience Act (DORA) is a new EU regulation that came into force in January 2023. It is part of the EU Commission's digital financial package with the aim of increasing the digital resilience of the European financial market. The aim is to ensure that financial market participants can continue to operate safely and reliably even in the event of larger incidents concerning information and communication technology (ICT).

For companies affected by the regulation, there is a transition period until January 2025 for full implementation.

The new requirements for ICT security, operational resilience as well as reporting obligations in the event of cyber attacks, for example, are explained below.

Vaike Metzger

Partner, Financial Services, Head of IT Compliance Solution, DORA EMA Lead

KPMG AG Wirtschaftsprüfungsgesellschaft

Submit RfP

Requirements & current developments

DORA places great emphasis on the overall responsibility of the management body for digital operational stability. Management must ensure that the company is adequately protected against ICT disruptions and cyber attacks.

DORA envisages a holistic ICT risk management framework as fundamental to creating resilient financial firms. This enables the identification, assessment, management and monitoring of ICT risks.

One example of the implementation of the DORA requirements is the establishment of resilient ICT systems in accordance with a consistent standard in the European economic area.

Financial organisations need to ensure that their IT systems and processes are able to detect and respond to potential threats quickly and effectively.

To increase responsiveness, DORA specifies, among other things, requirements for processes and systems to promptly detect and defend against potential threats.

One example of the implementation of this requirement is automatic network isolation in the event of cyber attacks. This minimises the risk of data loss or system failure and facilitates the restoration of normal operations.

Another DORA requirement is to standardise reporting obligations for serious ICT incidents across the European financial industry. This should help improve the response to such incidents and ensure effective cooperation between national and European authorities.

One example of the implementation of this requirement is the introduction of uniform procedures for monitoring, classifying and reporting ICT incidents to the relevant authorities.

Regular testing of the operational stability and security of critical IT systems is crucial to the smooth operation of financial businesses. To ensure the detection and resolution of potential ICT disruptions, a risk-based testing approach is required.

An example of the implementation of this requirement is the performance of penetration tests on live production systems at least every three years. This involves a targeted search for vulnerabilities in the system in order to identify potential attack vectors and take appropriate countermeasures.

DORA is designed to enable financial firms to effectively monitor the risks posed by third-party ICT providers. This is particularly important as more and more financial firms rely on third-party services for their IT systems and processes.

An example of the implementation of this requirement is the introduction of penalties and new termination options for third-party ICT providers that do not comply with requirements of the DORA regulation. These measures will enable financial firms to ensure robust monitoring of the risk posed by third-party ICT providers.

With the end of the DORA implementation period in January 2025, audit practice has begun. Since then, the implementation of DORA and therefore the resilience of financial companies, including information and communication technology (ICT) service providers, has been audited by the internal audit department, the annual auditor and, in particular, by the national (BaFin) and European (European Supervisory Authorities) supervisory authorities. The starting point for these audits is a functioning ICT risk management system. Based on the definition of critical and important functions, all areas of DORA are reviewed both in terms of requirements and their effective implementation.

We provide financial companies with comprehensive support during these audits: starting with the preparation of our clients, we accompany the entire audit and then help them to work through the findings in a structured manner. We ensure a professional audit process and transparent communication with the authorities. Through a GAP analysis, we avoid surprises in terms of content and can quickly identify, evaluate and communicate anomalies.

DORA also includes the concretisation of the requirements on the part of the ESAs (European Supervisory Authorities) through technical regulatory and implementation standards (RTS/ITS).

The following chart shows the overview and timeline of the concretisations provided in the first round (pink) and still pending in the next round (blue), broken down by DORA chapters. The current public consultation phase of the first round has been running since 19.6.2023 until 11.9.2023. The European Commission is then due to receive the revised drafts by 17.1.2024. The RTS/ITS of the second round for public consultation are expected at the end of November/beginning of December 2023:

Audit practice began with the end of the DORA implementation period in January 2025. Since then, the implementation of DORA and therefore the resilience of financial companies, including information and communication technology (ICT) service providers, has been audited by the internal audit department, the auditor of the annual financial statements and, in particular, by the national (BaFin) and European (European Supervisory Authorities) supervisory authorities. The starting point for these audits is a functioning ICT risk management system. Based on the definition of critical and important functions, all areas of the DORA are reviewed both in terms of requirements and their effective implementation.

We provide financial companies with comprehensive support during these audits: starting with the preparation of our clients, we accompany the entire audit and then help them to work through the findings in a structured manner. We ensure a professional audit process and transparent communication with the authorities. Through a gap analysis, we avoid surprises in terms of content and can quickly identify, assess and communicate anomalies.

Challenges for Customers

The introduction of the DORA regulation may pose a number of challenges for financial firms, as they may not be sufficiently prepared for the implementation of the new requirements.

In order to meet the requirements and continue to conduct business appropriately and successfully, ICT systems need to be updated, processes optimised and employees trained.

Legal Aspects

Regarding contract management, DORA specifies requirements for contracts with third-party ICT providers that must be incorporated into the contract management of financial institutions. In the implementation phase, it is necessary to categorize existing contracts, establish target requirements, conduct gap analyses, and address potential gaps.

Furthermore, DORA changes the requirements regarding the responsibility and liability risks of companies and executives concerning third-party ICT risks. For example, it is necessary to review and, if necessary, adjust the scope and conditions of insurance coverage.

How KPMG supports you

KPMG has a comprehensive professional repertoire covering all relevant disciplines in the area of the DORA regulation, including management consulting, ISM (Information Security Management), IRM (Information Risk Management), BCM (Business Continuity Management), outsourcing and cloud solutions. We specialise in advising and supporting our clients in all aspects of these disciplines.
We have a deep understanding of processes, risks and controls as well as governance structures. Our expertise and know-how enable us to support our clients in implementing effective control mechanisms and risk management strategies.
Our extensive project experience with companies in the industry has provided us with valuable insights and knowledge that help us better understand our clients' challenges and requirements. With our proven process model, we apply these insights in a targeted manner and develop customised solutions, optimally tailored to the individual needs of our clients.
We benefit from direct access to global expertise and experience through our corporate network. We work closely with our international teams and can draw on a broad range of experience and expertise specifically tailored to the financial sector.
In addition to our technical and methodological expertise, we also offer know-how for the implementation of tools. We support our clients in the implementation of standard GRC tools to efficiently manage and control risks and controls. We also offer tools for the effective management of third-party providers and their contracts in the area of information technology (ICT).