Preparing for DORA Onsite Inspections (OSIs)

DORA aims to strengthen systemic resilience by establishing consistent standards for the management of information and communication technology (ICT) risks across the EU’s financial industry. The ECB and national supervisors have now begun conducting the first DORA-focused onsite inspections (OSIs).

So far, industry observations suggest that DORA OSIs are more detailed, and more demanding than previous ICT audits. There appear to be (RC) some consistent themes beginning to emerge from OSIs carried out across Significant and Less Significant Institutions.

The first point to note is a stronger focus on the practical effectiveness of implemented measures than on their documented design. Supervisors are also stressing the importance of a consistent end-to-end approach . 

In the ICT risk management, the identification and evaluation of Critical or Important Functions (CIFs)is as much of a focus as the CIFs themselves. Key areas of interest include:

• What is the underlying methodology for identification and classification of CIFs?
• Is the CIF assessment effectively linked with the inventories of business processes and ICT assets?
• To what extent are CIFs provided by internal or external service providers?
• Is the dependency on ICT service providers sufficiently identified in the inventories for business processes and ICT assets?
• Have the banks derived target catalogues of IT security measures and implemented them according to the respective level of criticality?
• Is the internal control system considered from both the 1st and 2nd line perspectives, including its consistency with the company's regulatory framework and its contribution to ensuring the implementation of the requirements?
• Are resources appropriately allocated to CIFs’ three lines of defence, and why?

As before, one area of particular focus is core ICT security measures such as encryption, backup & recovery (including tests), and network segmentation. Special attention is paid to (A) the risk-based derivation of measures and their operationally effective implementation. Another focus area is key business continuity management (BCM) features, with financial institutions required to prove that calculated and actual achievable recovery and restart times match, including any involvement from ICT service providers.

The growth of ICT outsourcing, and banks’ reliance on a limited number of providers (see the ECB’s recent report) is leading to further supervisory focus on ICT third-party risk management (TPRM). For the first time, ICT service providers (ICTSPs) - including global hyper-scalers and national infrastructure providers - are audited too, with audit findings incorporated into the OSI of the host institution .

 Topics receiving particular supervisory attention include:

• The role of the third party’s substitutability, country risks, and subcontracting in assessments of ICTSP concentration risk.
• ICTSP exit strategies, with particular focus on vendor lock-in, geopolitical risks and intra-group ICTSPs.
• The active involvement of ICTSPs in resilience and BCM tests, and clear responsibilities for ICT change management.

As a first step, firms can learn from the previous experience of other financial institutions and prepare for possible or announced DORA OSIs in a structured, risk-oriented way by:

1. Assessing implementation status. Identify and prioritise gaps via internal or external assessments; develop action plans involving all stakeholders; use benchmark analyses (e.g. the ECB ITRQ benchmark) to assess levels of maturity.
2. Simulating the audit process. Experience shows that readiness checks, structured coordination (e.g. via an "audit office"), and clear roles and responsibilities are essential. A dress rehearsal by independent teams can help to uncover weaknesses.
3. Focusing on effectiveness, not just design. Documentation alone is not enough; firms should be seeking to demonstrate functionality of implemented controls. The 2nd and 3rd lines (e.g. resilience function, TPRM and audit) should be actively involved.
4. Taking an integrated approach. Core building blocks include an inventory of ICT assets, business processes and ICTSPs; a full CIF methodology; and suitable security measures. Permanent responsibilities, even in cross-group structures, boost long-term effectiveness.
5. Actively managing responsibility with ICTSPs. Contracts are just the beginning. Operational cooperation with ICTSPs must be lived and tested regularly, depending on materiality. Responsibilities, test procedures and results should be jointly managed and documented.
6. Monitoring risk assessments and the OpRisk interface. Risks from open issues relating to DORA compliance should be factored into broader operational risk management. Measures already planned and remediation timetables should also play a role in risk mitigation.

Supervisory approaches to DORA are still emerging, but the direction of travel is towards regular inspections, with a focus on effective, joined-up controls that fully integrate third party ICTSPs. Looking ahead, the EBA’s revised draft guidelines for non-ICT third party risk management promise to foster a more harmonised approach to the regulation of ICT and non-ICT resilience.

With supervisory expectations becoming clearer, financial institutions now have an opportunity to focus their preparations for DORA OSIs on the most important areas.