Navigating DORA compliance

The Digital Operational Resilience Act (DORA) entered into force in January 2023 and will apply from 17 January 2025, just under a year from now. Over the past year, businesses have been navigating DORA, deciphering its implications, and determining the necessary organisational and technical changes for compliance.

Assessing activities across the DORA policy areas has been a priority, with firms identifying and remediating gaps through the implementation of suitable processes.

Throughout this journey, our Cyber and Technology Risk teams, led by Dani Michaux and Jackie Hennessy, have supported firms in discovering opportunities to leverage existing frameworks and activities, particularly those outlined in the Central Bank's guidance on Outsourcing, Operational Resilience, and IT & Cybersecurity Risk.

What's in tranche 2?

The second tranche of standards, which are currently going through public consultation and due for finalisation on the 17^th of June 2024, will provide further guidelines on the following areas:

Reporting of major ICT-related incidents and significant cyber threats

Threat-led penetration testing

Subcontracting of critical or important functions

Oversight harmonisation

Guidelines on estimation of aggregated costs and losses caused by major ICT-related incidents

Guidelines on oversight cooperation and information exchange between the ESAs and competent authorities

How KPMG can help

DORA requirements will apply in full to both financial entities and by extension their ICT Service Providers by the 17th of January 2025. These will include any potential further clarifications from the ESAs as a result of the finalisation of the second tranche of the regulation.

Our team of technology risk and cyber experts have extensive knowledge across the Digital Operational Resilience obligation areas, paired with deep Governance, Risk and Compliance expertise. We have delivered DORA support programmes to leaders in the financial sector and aided numerous clients on their wider Operational Resilience journeys over the years.

The KPMG view on the DORA compliance journey takes us through 4 key stages:

Assess

While some requirements will only involve minor improvements to existing processes and structures, there will be other areas which will require specific expertise, planning, time and collaboration across different organisational functions.

To understand the implementation effort required to achieve DORA compliance, the first stage that all clients need to go through, is the assessment of their current frameworks to be able to size, prioritise and plan for remediation and reviewing these in the context of their short-, medium- and long-term resilience objectives.

Design

During DORA design, it is crucial to establish a fit-for-purpose DORA programme that shifts the focus to how DORA is going to be implemented for your business.

This may include the design of control frameworks across key remediation areas, the design of a Target Operating Model (TOM) to support DORA through the transition to the business-as-usual environment, establishing a DORA compliance function to continuously review the DORA compliance status, and determining the right technology to support the implementation of DORA.

Deliver

Based on the prioritisation of delivery elements defined during the design phase, it’s time for executing the remediation.

During delivery, we support our clients to implement and remediate the controls in line with the agreed prioritisation and we support the deployment of technology which allows clients optimise DORA processes and controls, achieve scale and consistency, and enhance the ability to manage risk and compliance.

Monitor

Lastly, KPMG have continuous DORA assurance offerings, to carry your organisation from January 2025 and beyond as you continue to monitor and ensure ongoing compliance with DORA requirements.

Our model

KPMG offers a resource-on-demand model which can be tailored to suit your organisational needs as you continue along your DORA compliance journey, and specifically, we can help you with the following:

Gap analysis to assess DORA compliance
DORA Programme Support via programme design, governance and assurance
Target Operating Model (TOM) design
Technical remediation support across ICT risk management, infrastructure, business continuity, IAM, digital texting, incident management and third-party risk
People and change management via trainings, skills plans, communications packs, etc.
Tech enablement
Compliance Programme to ensure future alignment

Navigating DORA Compliance through existing frameworks

For more, download our guide to DORA

Download

Get in touch

Whether you require additional resources or expert knowledge, the skills across our Consulting practice can be drawn upon to aid with the various aspects of your DORA programme.

If you would like to discuss the potential impact of DORA on your business, please contact Dani Michaux or Jackie Hennessy of our Digital Operational Resilience team. We look forward to hearing from you.