• Onur Ozdemir, Partner |

In September 2020, the European Commission proposed an entirely new regulatory framework for digital risk management for financial entities and certain critical ICT service providers. The objective? Improve digital operational resilience in the financial sector.

Meet DORA, the Digital Operational Resilience Act (Regulation (EU) 2022/2554), which aims to establish a single regulatory framework at European level for the management of risks arising from ICT and suppliers.

DORA entered into force on 16 January 2023 and, from 17 January 2025, will apply to a broad range of financial institutions. Amongst others, these institutions are credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings, and investment fund managers.

Digital Operational Resilience Act (DORA)

With significant cyber incidents continuing to hit the headlines, we have seen a steady increase in financial industry-related regulatory requirements to keep IT and cybersecurity risk management on its toes when it comes to innovation and combatting criminal activity.

Numerous financial institutions have already been subject to more requirements (i.e. EBA Guidelines) related to ICT and security risk management as well as outsourcing. These requirements have been implemented in Luxembourg by the Commission de Surveillance du Secteur Financier through dedicated circulars.

The scope of application of the DORA Regulation being universal and mandatory, extends beyond the ‘traditional’ perimeter of financial institutions (e.g., credit institutions, payment and electronic money institutions, investment firms). This expanded scope covers a wide range of players from the financial sector, including insurance and reinsurance undertakings, managers of alternative investment funds (AIFMs) and management companies.

DORA entered into force on 16 January 2023 and will apply from 17 January 2025.

What is DORA?

As per the definition, digital operational resilience is “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions”.

DORA aims to establish a single regulatory framework at the European level for the risks arising from ICT and suppliers, which extends the traditional perimeter to new players in the financial sector.

Who is regulated under DORA?

  • Central securities depositories
  • Crypto-asset service providers
  • Central counterparties
  • Credit institutions
  • Investment firms
  • Account information service providers
  • Payment institutions and electronic money institutions
  • Trading venues and trade repositories
  • Administrators of critical benchmarks
  • Credit rating agencies
  • Crowdfunding service providers
  • Data reporting service providers
  • Institutions for occupational retirement provision
  • Insurance and reinsurance undertakings
  • Managers of alternative investment funds (AIFMs) and management companies
  • Securitization repositories

What is required?

DORA sets out a comprehensive framework for managing risks associated with the increased digitalization of the financial sector and the dynamic cyber threat landscape. So, what do financial entities need to do to establish digital operational resilience framework?

General provisions –the main parts of DORA are laid out

Governance and organization

  • Internal governance and control framework to ensure effective ICT risk management
  • Management body’s ultimate responsibility for managing ICT risk

ICT risk management framework

  • Identification of all sources of ICT risk
  • Protection of ICT systems
  • Detection of anomalous activities
  • Response and recovery plans and procedures
  • Continuous learning and evolving
  • Crisis communication policies and plans

ICT-related incident management, classification and reporting

  • Incident management process
  • Classification of ICT-related incidents and cyber threats
  • Reporting of major ICT-related incidents to authorities

Digital operational resilience testing

  • A digital operational resilience testing program as an integral part of the ICT risk management framework
  • Advanced testing based on threat-led penetration testing (TLPT)
  • Requirements for testers for the carrying out of TLPT

Managing of third-party risk

  • ICT third-party risk as an integral part of the ICT risk management framework
  • Strategy on ICT third-party risk
  • Register of information
  • Pre-contracting analyses over ICT services
  • Promotion of standard contractual clauses
  • Empowerment of supervisory authorities to designate and exercise oversight over critical third-party service providers

Information-sharing arrangements

  • Reinforcement of the legal grounds for information sharing arrangements on cyber threat information and intelligence

Governance and organization
The financial entity's management body is ultimately responsible for establishing the organization and governance structure to effectively manage ICT risk. DORA outlines a set of responsibilities and requirements that the management body must fulfill, one of which is for them to enhance and sustain their understanding of ICT risk.

ICT risk management framework
All financial entities must recognize and assess their ICT risk landscape and have a framework for managing ICT risk that governs and directs all activities related to ICT risk management. Financial entities (except for microenterprises) must guarantee an adequate level of separation and autonomy among their ICT risk management functions, control functions, and internal audit functions, based on either the three lines of defence model or an internal risk management and control model.

ICT-related incident management, classification and reporting
Financial entities must set up an ICT-related incident management process and develop the necessary abilities to supervise, manage and track such incidents. Significant incidents must be reported to the appropriate competent authority.

The classification of incidents must adhere to the criteria stipulated in the regulation, including the scope of the incident's geographical impact, the criticality of the affected services, and the duration of the incident.

Digital operational resilience testing
Under DORA, a digital operational resilience testing program that is proportionate and risk-based must be set up. The program should include various tests, including open-source analyses, vulnerability assessments and scans, gap analyses, as well as network security assessments. Critical ICT systems and applications are required to undergo yearly testing, and certain financial entities must conduct advanced threat-led penetration testing at least once every three years.

Managing ICT third-party risk​
As the ICT third-party risk management is an essential part of the ICT risk management framework, financial institutions are required to establish a strategy for managing this risk and periodically evaluate this risk. They must also keep a record of all contractual agreements with ICT third-party service providers in a dedicated Register of Information.

In addition, DORA brings requirements concerning new ICT service procurement, termination and incorporation of certain contractual provisions into agreements with ICT third-party service providers. It mandates financial entities to conduct ICT concentration risk assessments before making contractual agreements.

Information-sharing arrangements​
Financial institutions are permitted to exchange cyber threat information and intelligence with one another provided that the sharing of information takes place within trusted communities, bolsters the digital operational resilience of financial entities, and is conducted in compliance with relevant legislation.

KPMG Expertise

From cyber security risk assessments to ICT governance model definition, KPMG’s Tech & Cyber Risk Consulting specialists have long been helping financial institutions to identify and mitigate their gaps by defining a roadmap with tactical and strategic action plans.

Stay informed

This is just the beginning! Don’t miss Part 2 where we flag the challenges ahead and share our top tips for staying ahead of the game and getting “DORA-ready”!