Getting ready for DORA

With less than one year until the introduction of the EU Digital Operational Resilience Act (DORA), Jackie Hennessy, KPMG Risk Consulting Partner who leads KPMG's Technology Risk Services, looks at the scope of the Act, the risk of non-compliance and what challenges financial services companies will face in applying this new regulation. KPMG's EMA Cyber Leader Dani Michaux highlights some cyber security issues to consider.

Financial services firms across Europe are facing a significant step up in standards when it comes to their ability to continue operations in the wake of a major ICT incident or cybersecurity breach.

DORA sets out a range of new rules for financial institutions to follow regarding their protection, detection, containment, recovery and response capabilities for ICT-related incidents. It also puts in place new requirements for ICT risk management, incident reporting, resilience testing and ICT third-party risk management.

The DORA regulation comes into effect on January 17, 2025, giving firms less than 11 months to prepare for it."Over the past year, organisations have been navigating DORA, deciphering its implications, and should be well advanced in their preparations by now," says KPMG Risk Consulting Partner Jackie Hennessy.

"Most organisations are now moving from preparation to implementation, but of course, there will be some who have fallen behind on their compliance journey through lack of in-house resources with capacity and the right expertise and skill set. It is imperative that firms act now to assess how DORA would apply to their business, what organisational and technical changes would be required as a result, and the level of investment needed to ensure compliance."

Failure to demonstrate compliance with the new rules and requirements could have potentially catastrophic consequences. "It could result in fines of up to 2 per cent of a business's annual worldwide turnover," Hennessy points out. "Also, non-compliance may lead to other consequences such as reputational repercussions or a firm found to be non-compliant could potentially be asked to cease operations."

While those penalties may sound severe, the harm caused by non-compliant institutions could be far greater. Indeed, in framing the regulation the European Commission acknowledged that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system.

"The increasing interconnectedness of the financial sector, and the resulting potential ripple effect of a cyberattack on one financial service provider impacting the wider community, has prompted recognition that existing regulations are not comprehensive enough to address current digital resilience challenges," Hennessy adds. "If a firm can't identify risks and threats and doesn't have the right controls in place to detect and prevent attacks, no one is safe."

The new regulation focuses on five key areas: ICT risk management; ICT related incident reporting; digital operational resilience testing; ICT third party risk management; and information and intelligence sharing. "Another area of focus is oversight of third-party partners."

Organisations are not starting from scratch. "The financial services sector has been focusing on this since at least 2016," she notes. "Institutions have been working on their ICT risk management and improving their posture with respect to resilience for a number of years now. DORA is a step up as it will bring about more prescriptive requirements. It's about being able to quickly identify, respond to, and recover from all types of ICT-related threats and risks. Some firms are concerned about the level of investment required to achieve compliance against the enhanced requirements."

But there have been other ICT-related regulations, including, for example, NISD, ICT Risk Regulations, Outsourcing Regulations and even aspects of GDPR that firms have already had to comply with.

"There has also been the outsourcing, operational resilience and IT and cybersecurity risk guidance issued by the Central Bank of Ireland. Organisations should have already been adhering to these high standards, and while there are some new, specific obligations and requirements set out under DORA, many firms have been able to leverage the frameworks and processes they already have in place in preparing their efforts for DORA compliance."

The scope of the directive is very broad, and it applies to all financial entities, from the largest international banks and investment institutions to the smallest financial services providers.

"It applies to financial services firms – banks, credit institutions, insurance entities, investment firms, payment processing organisations and so on," she explains. "Firms also need to evidence how DORA applies to third parties who provide technology or ICT services to them. Those partners may not describe themselves as financial services organisations, but they are critical to firms' resilience postures. Many third parties will potentially require a huge uplift in terms of ICT risk management and the other aspects of the Act."

The application of the Act will not be entirely uniform. "The scale of the compliance effort will be different for a pillar bank than for a small insurance broker," says Hennessy. "There will need to be proportionality applied in its implementation. Firms will need to take a risk-based approach to compliance and review this in the context of short, medium and long-term resilience objectives."

Its application to ICT suppliers could present challenges if they are required to undergo separate verification processes for each financial services customer on a regular basis. "I wouldn't be surprised if some type of independent assurance report is eventually required," she says. "This would allow ICT suppliers to provide all customers with one report rather than undergoing verification by each one separately."

For the financial services firms themselves, the additional resilience testing requirements will require particular attention. KPMG's EMA Cyber Leader Dani Michaux believes, "They will need to be able to demonstrate that they conduct appropriate security and resilience tests on critical ICT systems and applications at least annually. In addition, they must fully address any vulnerabilities identified during the testing". She also adds that "testing must be scenario based and various levels of penetration testing may be required."

"The supervisors are going to look for evidence of annual testing approved by the executive committee," Hennessy points out. "Firms are going to have to report the test results and remediation actions to the European Supervisory Authorities. The regulation also requires a significant uplift in governance and risk management frameworks. When the supervisors come in to test compliance, they will carry out detailed reviews of the various policies, procedures, risk management frameworks, business continuity plans, etc... that are in place. IT can be expected that reviews will include design and implementation testing."

Another challenge is the sheer breadth of the regulation. "DORA has 64 articles and between 500 and 600 sub-sections," she notes. "Trying to report on compliance with each of those will take a significant amount of effort, and it is not just a matter for IT departments. The governance and risk management around it will require multi-stakeholder and cross-organisational collaboration, and many organisations will not have the in-house expertise to do that. For example, some firms with small operations but large balance sheets will struggle to understand how to set up a compliance programme and manage ongoing compliance with DORA requirements. They will likely require external assistance."

Dani adds "that the technical nature of some of the requirements will need deep Cyber expertise to understand the real level of compliance."

There is also the question of accountability. "Forty-two of the articles in the regulation need individual owners within the organisation who are responsible for them. This may be operated similarly to the Individual Accountability Regime."

There will be a considerable technology impact as well. Hennessy advises organisations to look at their existing technology roadmaps to establish how any new investments in technology required by DORA will align with them. "If you are already planning on replacing something, the new technology should support DORA compliance. Existing technology plans should be examined to see if they should be altered before committing to any new investments."

Finally, the continuing evolution of the regulation means that preparation will need to continue for some time to come.

"This is the first time for all firms in demonstrating this level of compliance from a digital resilience perspective, there is no blueprint. It is also not yet fully understood how it will be regulated. Most organisations will already have done their gap analyses and put in place programmes to address the gaps, but that is just the start. A number of new regulatory and technical standards have just been released, and more are on the way. The target is moving, and the gap analysis is never complete. Programmes will need to be flexible to comply with new standards pretty quickly."