Welcome to Part 2 of our DORA series! In Part 1 we explained what DORA is, which financial institutions are affected, and how this act will impact them. Here, we’ll take you through the potential challenges ahead and what needs to be done by 17 January 2025.
From the development of a digital operational resilience strategy to the implementation of the adequate ICT risk management framework that is proportionate to the size, risk profile, nature, scale and complexity of services, activities and operations of the entity, financial institutions face multiple challenges. Let’s take a look at just a few of the challenges they may be up against:
- ICT regulatory compliance is relatively new for some sectors in Luxembourg (e.g. insurance and reinsurance undertakings) which will mean a shift in technology governance culture
- Fragmentation in digital estate as an entity-level approach is not generally how group organizations operate
- Segregating functions appropriately (i.e. 3LOD)
- Closing the knowledge and skills gaps in ICT risk management
- Finding the right talent to support ICT risk management activities
- Creating a culture of trust enabling optimal information-sharing within the financial ecosystem
- Allocating time and effort to the testing of ICT tools and systems as part of the digital operational resilience testing program, as well as to threat-led penetration testing
Top tips for getting DORA-ready
With less than a two-year window to assess their compliance and plan the uplift of their internal arrangements, financial institutions need to get DORA-ready by 17 January 2025. So, where should they start?
- Recognize the importance of a new, consistent approach:
- Even leading financial institutions will need to adapt to comply with the new regime and meet supervisors’ more harmonized expectations for controls, risk management, reporting and recovery. In some cases, this may involve a complete overhaul of operating models.
- As-Is Analysis:
- Financial institutions should have a clear understanding of their current position and assess themselves against the requirements of DORA. To plan and implement a successful transformation, it is essential to identify gaps and mobilize the resources needed.
- Assign the adequate accountabilities and find the right talent:
- Financial institutions need to ensure their operating models have the accountabilities and talent necessary to transition from their current position to being DORA-compliant. The management body of the financial institution remains responsible for the implementation of all arrangements related to the ICT risk management framework.
- Be realistic about costs:
- Some financial institutions may find that the additional requirements of DORA across a range of security disciplines could entail significant investments.
- Carpe DORA(m)!:
- DORA is not merely a compliance requirement. It creates an opportunity for financial institutions to consolidate their operational risk control capabilities with their ICT risk management capabilities, and reach a high level of operational readiness and resilience across the organization.
Finding an optimal balance between the opportunities and risks arising from digital transformation is no easy task… Our experienced Tech & Cyber Risk team are ready to share their regulatory and cyber security know-how. Reach out and let us help you on your DORA journey!
DORA goes beyond technology compliance requirements. It is a shift in technology governance culture and ways of thinking about resilience.
Laurent de la Vaissière, Partner, KPMG Luxembourg
Discover the KPMG services
- Gap analysis for checking readiness for compliance with DORA
- Internal governance model assessment (3LoD) and benchmarking
- Assessment of strategies, policies, procedures, ICT protocols and tools
- ICT Risk Management Framework (3LOD) design & implementation
- Digital Operational Resilience Strategy & related testing
- ICT Third party risk management