DORA regulation: all your questions answered

In September 2020, the European Commission proposed an entirely new regulatory framework for digital risk management for financial entities and certain critical ICT service providers. The objective? Improve digital operational resilience in the financial sector.

Meet DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), which aims to establish a single regulatory framework at European level for the management of risks arising from ICT and suppliers.

DORA entered into force on 16 January 2023 and, from 17 January 2025, will apply to a broad range of financial institutions. Amongst others, these institutions are credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings, and investment fund managers.

With significant cyber incidents continuing to hit the headlines, we have seen a steady increase in financial industry-related regulatory requirements to keep IT and cybersecurity risk management on its toes when it comes to innovation and combatting criminal activity.

Numerous financial institutions have already been subject to more requirements (i.e. EBA Guidelines) related to ICT and security risk management as well as outsourcing. These requirements have been implemented in Luxembourg by the Commission de Surveillance du Secteur Financier through dedicated circulars.

The scope of application of the DORA Regulation being universal and mandatory, extends beyond the ‘traditional’ perimeter of financial institutions (e.g., credit institutions, payment and electronic money institutions, investment firms). This expanded scope covers a wide range of players from the financial sector, including insurance and reinsurance undertakings, managers of alternative investment funds (AIFMs) and management companies.

DORA entered into force on 16 January 2023 and will apply from 17 January 2025.

As per the definition, digital operational resilience is “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions”.

DORA aims to establish a single regulatory framework at the European level for the risks arising from ICT and suppliers, which extends the traditional perimeter to new players in the financial sector.

DORA sets out a comprehensive framework for managing risks associated with the increased digitalization of the financial sector and the dynamic cyber threat landscape. So, what do financial entities need to do to establish digital operational resilience framework?

Governance and organization
The financial entity's management body is ultimately responsible for establishing the organization and governance structure to effectively manage ICT risk. DORA outlines a set of responsibilities and requirements that the management body must fulfill, one of which is for them to enhance and sustain their understanding of ICT risk.

ICT risk management framework
All financial entities must recognize and assess their ICT risk landscape and have a framework for managing ICT risk that governs and directs all activities related to ICT risk management. Financial entities (except for microenterprises) must guarantee an adequate level of separation and autonomy among their ICT risk management functions, control functions, and internal audit functions, based on either the three lines of defence model or an internal risk management and control model.

ICT-related incident management, classification and reporting
Financial entities must set up an ICT-related incident management process and develop the necessary abilities to supervise, manage and track such incidents. Significant incidents must be reported to the appropriate competent authority.

The classification of incidents must adhere to the criteria stipulated in the regulation, including the scope of the incident's geographical impact, the criticality of the affected services, and the duration of the incident.

Digital operational resilience testing
Under DORA, a digital operational resilience testing program that is proportionate and risk-based must be set up. The program should include various tests, including open-source analyses, vulnerability assessments and scans, gap analyses, as well as network security assessments. Critical ICT systems and applications are required to undergo yearly testing, and certain financial entities must conduct advanced threat-led penetration testing at least once every three years.

Managing ICT third-party risk​
As the ICT third-party risk management is an essential part of the ICT risk management framework, financial institutions are required to establish a strategy for managing this risk and periodically evaluate this risk. They must also keep a record of all contractual agreements with ICT third-party service providers in a dedicated Register of Information.

In addition, DORA brings requirements concerning new ICT service procurement, termination and incorporation of certain contractual provisions into agreements with ICT third-party service providers. It mandates financial entities to conduct ICT concentration risk assessments before making contractual agreements.

Information-sharing arrangements​
Financial institutions are permitted to exchange cyber threat information and intelligence with one another provided that the sharing of information takes place within trusted communities, bolsters the digital operational resilience of financial entities, and is conducted in compliance with relevant legislation.

From cyber security risk assessments to ICT governance model definition, KPMG’s Tech & Cyber Risk Consulting specialists have long been helping financial institutions to identify and mitigate their gaps by defining a roadmap with tactical and strategic action plans.

This is just the beginning! Don’t miss Part 2 where we flag the challenges ahead and share our top tips for staying ahead of the game and getting “DORA-ready”!