Getting DORA ready
With the upcoming Digital Operational Resilience Act (DORA), entities must move from preparation to implementation and take steps towards demonstrating how their practices comply with DORA.
Financial entities will need to demonstrate appropriate security and resilience of critical ICT systems and applications to comply with DORA. The level of compliance efforts will vary depending on the size and complexity of your entity. A risk-based approach, appropriate security and resilience testing are necessary to address potential vulnerabilities and to prove compliance in meeting evidence requirements of the European Supervisory Authorities. By focusing on long-term resilience, entities can establish a resilient foundation, which will aid them in their steps towards DORA compliance.
Our Technology Risk and Cyber teams, led by Jackie Hennessy and Dani Michaux, share their in-dept views on key actions to help you get ready for DORA.
Resilience means learning from the past, to improve the present, and to prepare for the future.
Our 5 key actions towards DORA readiness
In order to make entities ready for DORA, we have identified 5 key actions to assist those that are in the preparation phase. These actions will enable entities to effectively manage their digital operational resilience and be ready for DORA:
1. Determine strategic priorities
To enhance business practices, organisations must aim to achieve a transformation towards a resilient end-to-end IT & operations environment. In order to ensure strong risk management, a focus should be placed on achieving a broad agile transformation that takes into account risks associated with ICT/technology suppliers and continuity measures.
Additionally, it is necessary to aim to increase your organisations agility in serving digital channels by implementing strong BCM measures.
2. Implement resilience and incident management measures
To ensure effective implementation of your DORA program, it is crucial to ensure leadership support, as well as translation of strategic and regulatory requirements into operational measures.
It is essential to enable control owners and line management to manage compliance requirements in a risk-based way, including the automation of controls related to digital resilience, in order to manage the complexity of (compliance) requirements effectively.
Think big and start small – for example, by organising a workshop with relevant middle-management players to align and agree on the implementation strategy of your DORA program.
3. Manage third-party risks
To ensure effective management of ICT risk related to third party providers, it is essential to conduct complete monitoring of all ICT-related third party risks throughout all relationship phases.
This involves the classification and analysis of providers and their management bodies, record-keeping of relevant information, managing proportionality, managing compliance, and creating a TPRM risk strategy.
By undertaking these steps, comprehensive management of ICT risk in relation to third party providers can be ensured.
4. Test digital operational resilience
To ensure operational resilience, it is crucial to test critical and important functions more frequently than non-critical or unimportant function, at least once per year. The program for testing digital operational resilience must be based on relevant threat scenarios.
Best practice is to implement an appropriate test set-up for each threat, in order to test the resilience effectively. Moreover, every three years, entities are required to perform Threat-Lead Penetration Testing (TPLT) hat simulates a realistic and advanced cyber attack. This simulation helps organisation prepare and train for real cyber attacks.
5. Implement measures for resilience and ICT incidents
To establish strong operational resilience measures and incident management, it is essential to accomplish resilience testing from a wider perspective, which – beyond technical security testing – includes regular crisis simulations.
It is important to improve business continuity plans and ICT crisis scenarios to ensure that uncontrolled disruptions are avoided due to slow and ineffective incident management. Moreover, accomplishing mature threat intelligence and assessing top continuity risk scenarios is crucial to enhance resilience and preparedness in critical situations.
By understanding these measures, strong operational resilience can be established, ensuring smooth and uninterrupted operations.
How KPMG can help
DORA requirements will apply in full to both financial entities and by extension their ICT Service Providers by the 17th of January 2025. These will include any potential further clarifications from the ESAs as a result of the finalisation of the second tranche of the regulation.
Our team of technology risk and cyber experts have extensive knowledge across the Digital Operational Resilience obligation areas, paired with deep Governance, Risk and Compliance expertise. We have delivered DORA support programmes to leaders in the financial sector and aided numerous clients on their wider Operational Resilience journeys over the years.
The KPMG view on the DORA compliance journey takes us through 4 key stages:
Assess
While some requirements will only involve minor improvements to existing processes and structures, there will be other areas which will require specific expertise, planning, time and collaboration across different organisational functions.
To understand the implementation effort required to achieve DORA compliance, the first stage that all clients need to go through, is the assessment of their current frameworks to be able to size, prioritise and plan for remediation and reviewing these in the context of their short-, medium- and long-term resilience objectives.
Design
During DORA design, it is crucial to establish a fit-for-purpose DORA programme that shifts the focus to how DORA is going to be implemented for your business.
This may include the design of control frameworks across key remediation areas, the design of a Target Operating Model (TOM) to support DORA through the transition to the business-as-usual environment, establishing a DORA compliance function to continuously review the DORA compliance status, and determining the right technology to support the implementation of DORA.
Deliver
Based on the prioritisation of delivery elements defined during the design phase, it’s time for executing the remediation.
During delivery, we support our clients to implement and remediate the controls in line with the agreed prioritisation and we support the deployment of technology which allows clients optimise DORA processes and controls, achieve scale and consistency, and enhance the ability to manage risk and compliance.
During delivery, we support our clients to implement and remediate the controls in line with the agreed prioritisation and we support the deployment of technology which allows clients optimise DORA processes and controls, achieve scale and consistency, and enhance the ability to manage risk and compliance.
Monitor
Lastly, KPMG have continuous DORA assurance offerings, to carry your organisation from January 2025 and beyond as you continue to monitor and ensure ongoing compliance with DORA requirements.
Get in touch
Whether you require additional resources or expert knowledge, the skills across our Consulting practice can be drawn upon to aid with the various aspects of your DORA programme.
If you would like to discuss the potential impact of DORA on your business, please contact Jackie Hennessy or Dani Michaux of our Digital Operational Resilience team. We look forward to hearing from you.
Jackie Hennessy
Partner
KPMG in Ireland
Dani Michaux
EMA Cyber Leader
KPMG in Ireland
