With significant cyber incidents continuing to hit the headlines, we have seen a steady increase in regulatory requirements related to the financial industry. These regulations aim to keep IT and cybersecurity risk management on its toes when it comes to innovation and combatting criminal activity. Numerous financial institutions have already been subject to additional requirements, such as the EBA Guidelines, related to information and communication technology (ICT) and security risk management as well as outsourcing. These requirements have been implemented in Luxembourg by the Commission de Surveillance du Secteur Financier (“CSSF”) through dedicated circulars.

This is where DORA comes in. The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is a key EU regulation implemented as of January 2023. This regulation is a critical element within the EU Commission's digital financial package, which aims to strengthen the digital resilience of the European financial market. Its primary focus is to ensure the continuity of secure and reliable operations for financial market participants, even amidst substantial disruptions in ICT.

This regulation aims to establish a unified European-level regulatory framework specifically addressing risks stemming from ICT and suppliers. Starting 17 January 2025, DORA will extend its application to encompass a broad spectrum of financial institutions, including credit institutions, payment and electronic money entities, investment firms, insurance and reinsurance undertakings, and investment fund managers.

Concerned companies are granted a transition period until January 2025 to achieve full compliance with DORA.

Do you have questions or concerns about how DORA applies to your business? We can help you.

Contact us

Achieving DORA compliance

What is DORA?

As per the definition, digital operational resilience is “the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions”.

DORA seeks to create a unified regulatory structure at the European level. This framework addresses risks associated with ICT and suppliers, expanding the conventional boundaries to encompass new participants within the financial sector.

Navigating DORA compliance

The DORA regulation requires that financial institutions and their identified critical third parties (CTPs) have processes and procedures in place that cover the following key sections:

General provisions –the main parts of DORA are laid out

Governance and organization

  • Internal governance and control framework to ensure effective ICT risk management
  • Management body’s ultimate responsibility for managing ICT risk

ICT risk management framework

  • Identification of all sources of ICT risk
  • Protection of ICT systems
  • Detection of anomalous activities
  • Response and recovery plans and procedures
  • Continuous learning and evolving
  • Crisis communication policies and plans

ICT-related incident management, classification and reporting

  • Incident management process
  • Classification of ICT-related incidents and cyber threats
  • Reporting of major ICT-related incidents to authorities

Digital operational resilience testing

  • A digital operational resilience testing program as an integral part of the ICT risk management framework
  • Advanced testing based on threat-led penetration testing (TLPT)
  • Requirements for testers for the carrying out of TLPT

Managing of third-party risk

  • ICT third-party risk as an integral part of the ICT risk management framework
  • Strategy on ICT third-party risk
  • Register of information
  • Pre-contracting analyses over ICT services
  • Promotion of standard contractual clauses
  • Empowerment of supervisory authorities to designate and exercise oversight over critical third-party service providers

Information-sharing arrangements

  • Reinforcement of the legal grounds for information sharing arrangements on cyber threat information and intelligence

DORA implementation challenges

Financial institutions encounter a multitude of challenges, spanning from formulating a digital operational resilience strategy to executing a fitting ICT risk management framework aligned with the entity's unique characteristics. Such challenges include:

Adapting to new regulatory horizons

Some sectors in Luxembourg, such as insurance and reinsurance undertakings, are grappling with the novelty of ICT regulatory compliance, requiring a cultural shift in technology governance.

Navigating digital fragmentation

Group organizations typically do not adopt an entity-level approach to managing their digital estate, risking potential fragmentation in operational strategies.

Implementing effective function segregation

Ensuring appropriate function segregation, notably through the Three Lines of Defense (3LoD) model, poses a significant challenge that demands meticulous attention.

Bridging knowledge and skill gaps

Addressing existing gaps in knowledge and skills pertaining to ICT risk management remains a critical hurdle, requiring extensive efforts in upskilling initiatives.

Acquiring talent for ICT risk management

Finding and securing suitable talent to support ICT risk management activities emerges as a persistent challenge, considering the specialized skill set required.

Fostering a collaborative trust culture

Building a culture of trust conducive to optimal information-sharing within the financial ecosystem poses a notable challenge, necessitating strategic initiatives to establish and maintain trust networks.

Allocating resources for comprehensive testing

Allocating adequate time and resources for comprehensive testing of ICT tools and systems within the digital operational resilience testing program, including threat-led penetration testing, requires focused effort and attention.

With less than a year left to evaluate their compliance and strategize internal improvements, financial institutions must be DORA-ready by 17 January 2025. What steps should be considered?

Top tips for getting DORA-ready

01

Recognition: Consistency

Even leading financial institutions will need to adapt to comply with the new regime and meet supervisors' more harmonized expectations for controls, risk management, reporting and recovery. In some cases, this may involve a complete overhaul of operating models.

02

As-is analysis

Financial institutions should have a clear understanding of their current position and assess themselves against the requirements of DORA. To plan and implement a successful transformation, it is essential to identify gaps and mobilize the resources needed.

03

Responsibility alignment

Financial institutions need to ensure their operating models have the accountabilities and talent necessary to transition from their current position to being DORA-compliant. The management body of the financial institution remains responsible for the implementation of all arrangements related to the ICT risk management framework.

04

Cost realism

Some financial institutions may find that the additional requirements of DORA across a range of security disciplines could entail significant investments.

Carpe DORA (m)!

DORA is not merely a compliance requirement. It creates an opportunity for financial institutions to consolidate their operational risk control capabilities with their ICT risk management capabilities, and reach a high level of operational readiness and resilience across the organization.

How can we help?

KPMG’s cross-disciplinary and cross-border teams help you to navigate the maze of implementing new requirements. Our professionals offer a wide range of expertise across various disciplines relevant to DORA, including management consulting, Information Security Management (ISM), Information Risk Management (IRM), Business Continuity Management (BCM), technical security testing, outsourcing and cloud solutions.

Our specialized advisory services cover various aspects of these disciplines, leveraging a deep understanding of processes, risks and governance structures. With extensive project experience in the industry, KPMG professionals can develop customized digital solutions tailored to the financial sector and to your specific needs. Additionally, they can provide tools for efficient risk and control management, including coordinating of third-party providers and their contracts in ICT.

  • Assessment Services
  • Preparedness Services
  • DORA training for professionals
  • Gap analysis to check readiness for compliance with DORA
  • Internal governance model assessment (3LoD) and benchmarking
  • Assessment of strategies, policies, procedures, ICT protocols and tools
  • ICT Risk Management Framework (3LOD) design & implementation
  • Digital Operational Resilience Strategy & related testing
  • ICT Third party risk management
  • Instructor led tailor made online or in-house training

DORA goes beyond technology compliance requirements. It is a shift in technology governance culture and ways of thinking about resilience.

Onur Özdemir, Partner, KPMG Luxembourg

Meet the team

Sven Muehlenbrock

Sven Muehlenbrock

Partner,
KPMG Luxembourg

Email ›View profile ›

Onur Özdemir

Onur Özdemir

Partner
KPMG Luxembourg

Email ›View profile ›

It is imperative that financial firms prepare for DORA implementation. If you have any concerns or queries about how DORA will apply to your business, please contact our team. We'd be delighted to hear from you.

Connect now