The Digital Operational Resilience Act (DORA) is a newly implemented EU regulation, effective from January 2023. This regulation is a crucial component of the EU Commission's digital financial package, aimed at enhancing the digital resilience of the European financial market. Its primary objective is to ensure that financial market participants can maintain safe and reliable operations, even in the face of significant disruptions in information and communication technology (ICT).
Companies affected by this regulation have been granted a transition period until January 2025 to achieve full compliance.
Navigating DORA compliance
Governance and ICT risk management
DORA places significant emphasis on responsibility of the management body for ensuring digital operational resilience. Management must guarantee adequate protection against ICT disruptions and cyber-attacks.
DORA envisions a comprehensive ICT risk management framework as essential for building resilient financial firms. This framework enables the identification, assessment, management, and monitoring of ICT risks. One example of DORA implementation is the establishment of resilient ICT systems adhering to a consistent standard in the European Economic Area.
Legal aspects
DORA specifies contract requirements with third-party ICT providers that must be incorporated into the contract management of financial institutions. Implementing DORA requires categorizing existing contracts, establishing target requirements, conducting gap analyses, and addressing potential gaps. Furthermore, DORA alters the responsibility and liability risks of companies and executives regarding third-party ICT risks, requiring a review and potential adjustment of insurance coverage.
ICT incidents
DORA aims to standardize reporting obligations for serious ICT incidents across the European financial industry. The goal is to enhance responses to these incidents and ensure effective cooperation between national and European authorities. Implementation includes the introduction of uniform procedures for monitoring, classifying, and reporting ICT incidents to relevant authorities.
Control ICT third-party risk
DORA facilitates effective monitoring of risks posed by third-party ICT providers, which is crucial as financial firms increasingly rely on these services for their IT systems and processes. Implementation includes penalties and termination options for non-compliant third-party ICT providers, ensuring robust risk monitoring by financial firms
Digital operational stability testing
Regular testing of the operational stability and security of critical ICT systems is essential for the seamless functioning of financial businesses. A risk-based testing approach is required to detect and address potential ICT disruptions. An example of implementation is conducting penetration tests on live production systems at least every three years to identify vulnerabilities and counter potential attack vectors.
Protection and prevention
Financial organizations must ensure that their ICT systems and processes can swiftly and effectively detect and respond to potential threats. DORA specifies requirements for processes and systems to promptly detect and defend against such threats. An example of implementation is automatic network isolation during cyber-attacks, minimizing data loss and system failure while expediting the restoration of normal operations.
Challenges for Customers
The introduction of DORA may pose challenges for financial firms, requiring updates to ICT systems, process optimization, and employee training to meet the new requirements.
Key areas KPMG professionals can assist
DORA compliance strategy and management consulting
KPMG professionals can help financial organizations formulate and execute effective strategies to achieve DORA compliance, including governance and risk management enhancements.
Information security management (ISM)
KPMG professionals specialize in bolstering information security measures, ensuring that ICT systems and processes align with DORA requirements, thereby safeguarding digital operational resilience.
Information risk management (IRM)
KPMG professionals assist in identifying, assessing, managing, and monitoring ICT risks, helping financial firms establish a robust risk management framework as mandated by DORA.
Outsourcing and cloud solutions
KPMG professionals provide expertise in evaluating and handling third-party ICT providers to mitigate risks, offering insights into contract management in line with DORA's specifications.
KPMG professionals offer wide-ranging professional expertise across various relevant disciplines related to DORA, including management consulting, Information Security Management (ISM), Information Risk Management (IRM), Business Continuity Management (BCM), technical security testing, and outsourcing and cloud solutions. KPMG firms’ specialized advisory services cover various aspects of these disciplines, leveraging deep understanding of processes, risks, and governance structures.
KPMG professionals’ project experience in the industry allows the development of customized digital solutions tailored to clients' specific needs. Having access to global expertise and experience through the global organization, working closely with international teams to offer tailored digital solutions to the financial sector. Additionally, KPMG professionals provide tools for efficient risk and control management, including coordinating of third-party providers and their contracts in ICT.
