Turning Necessity into Opportunity: How DORA Leads the Way to Stronger Cyber Resilience

Turning Necessity into Opportunity: How DORA Leads the Way to Stronger Cyber Resilience
October 11, 2023 20 mins

Turning Necessity into Opportunity: How DORA Leads the Way to Stronger Cyber Resilience

Turning Necessity into Opportunity: How DORA Leads the Way to Stronger Cyber Resilience Hero image

The Digital Operational Resilience Act (DORA) will accelerate a move to the minimum required maturity level for some organizations in the financial industry. For others, it will be an opportunity to enhance their capabilities and future-proof their business.

Key Takeaways
  1. DORA looks to strengthen the digital operational resilience of financial institutions within the EU.
  2. Compliance with DORA will strengthen and streamline operational resilience both internally and across supply chains.
  3. DORA will have a major impact on affected entities; now is the time to begin preparations.

Governments, businesses and customers look to financial entities as the backbone of the global economy. Because of this vital role, the industry’s cyber security is highly regulated and scrutinized.

That regulatory concern is well founded, given the recent resurgence of aggressive threat actor groups targeting financial services entities. In fact, ransomware claims were up 38 percent from Q4 2022 to Q1 2023.

Although financial institutions appear more resilient than sectors like healthcare and manufacturing, vulnerabilities continue to exist in their IT controls, such as backup security.

The European Union (EU) is therefore introducing the Digital Operational Resilience Act (DORA) to increase the digital resilience —i.e., the security of network and information systems — of financial institutions within the EU and mitigate risks associated with outsourcing to third-party service providers (TPP).

While financial institutions operating in the EU are required to comply by January 2025, DORA also represents an opportunity for businesses to review and streamline their operational resilience and cybersecurity practices.

Why was DORA introduced?

DORA is designed to consolidate and upgrade risk requirements for information and communications technology (ICT) throughout the financial services sector. This ensures a common set of standards for mitigating operational ICT risks.

This new regulation is intended to ensure that the EU financial services sector, along with their critical ICT providers, are equipped to prevent and mitigate cyber threats and remain resilient in the face of a severe disruption.

The key difference between DORA and previous regulations in this space is in their scope. DORA ensures that the financial services ecosystem eradicates any weak links, and that individual institutions take a holistic approach to cyber security.

Affected Entities

DORA covers a broad range of financial service entities and ICT TPPs, and applies to most of the regulated financial institutions in the EU. Many entities that were not previously subject to specific ICT regulations now fall within the scope of DORA.

Turning Necessity into Opportunity: How DORA Leads the Way to Stronger Cyber Resilience Diagram 1

When it comes to implementing the requirements of DORA, the European Supervisory Authorities (ESA) operate on a principle of proportionality. They must consider the financial institution’s size and overall risk profile, as well as the nature, scale and complexity of their services, activities and operations.

Implementation Timeline

The European Parliament adopted DORA on November 10, 2022, and the regulation and related directive was subsequently published on January 16, 2023. The implementation period will be two years, with financial service entities expected to be compliant by January 17, 2025.

ESAs have been tasked with developing Technical Standards (RTS/ITS; Level 2 rules) applicable to all financial institutions within the scope of DORA. These are expected to be adopted by the end of 2024.

Turning Necessity into Opportunity: How DORA Leads the Way to Stronger Cyber Resilience Image 2

The Five Foundational Pillars of DORA

DORA goes beyond existing regulations by bringing together multiple aspects of operational resilience into one framework. It also raises the bar for how institutions manage their ICT risks, laying out a broad set of requirements across five foundational pillars.

Turning Necessity into Opportunity: How DORA Leads the Way to Stronger Cyber Resilience Diagram 3

We expect DORA to be an evolving standard that will change as operational resilience practices develop and standards are iterated between regulators and the industry. However, it is clear that operational resilience will be a prime focus for regulators in the coming years.

1. ICT Risk Management Framework

DORA requirements on governance and organization emphasize the need for financial service entities to establish an internal governance and control framework for ICTs, as well as appoint a management body to oversee and implement ICT risk management measures.

Financial entities shall have in place capabilities and staff, suited to their size, business, and risk profiles, to gather information on vulnerabilities and cyber threats, ICT-related incidents, in particular cyberattacks, and analyze their likely impacts on their digital operational resilience.

Quote icon

A key element of any robust governance and control framework is to be able to quantify and where possible mitigate the under-lying risk. Embracing the latest techniques in cyber quantification through scenario planning will be key to success.

Adam Peckman
Global Head of Cyber Risk Consulting

The framework for this needs to be sound, comprehensive and well-documented as part of the overall risk management system, which must be periodically reviewed and audited.

2. ICT-Related Incident Reporting

DORA will provide for consistent and, if applicable, expedited reporting for ICT-related incidents.

There are strict timelines for reporting “major” incidents to the authorities. According to these notification requirements, financial entities must review and update their current internal incident reporting processes and outsourcing arrangements, where relevant.

Quote icon

By positioning cyber security as an operational concern, organisations are better able to address its significance and incorporate it into overall risk management discussions. It is bringing Cyber to the table.

Andy Catley
Cyber Security Director (Investigations & Response) UK/EMEA

3. Digital Operational Resilience Testing

To ensure digital operational resilience, financial entities are required to implement robust and comprehensive testing plans within their organization. In certain cases, advanced testing is required. This includes Threat-Led Penetration (PEN) Testing every three years, or more frequently, if requested by the authorities.

DORA also requires a security posture gap analysis and the implementation of countermeasures.

4. Third-Party ICT Risk Management

DORA aims to control third-party ICT risk by setting principle-based rules for monitoring risks related to outsourced tasks. Outsourcing agreements must comply with minimum contracting requirements, including:

  • Access to, recovery and return of data;
  • Service levels;
  • ICT incident assistance and termination; and
  • Participation in PEN Testing.

DORA also introduces a framework for ESAs to supervise critical TPPs.

Quote icon

Whilst financial entities tend to set recovery time objectives when developing BCM or a BCP, they do not look at this from a cyber point of view. It is important that financial entities re-think and approach risk from a cyber security lens.

Mani Dhesi
Head of Growth and Innovation, Cyber Risk Consulting EMEA

5. Information Sharing

Financial service entities have permission to exchange cyber threat information and intelligence among themselves. This includes indicators of compromise, tactics, techniques, procedures, cyber security alerts and configuration tools.

The main objective is to enhance the digital operational resilience of financial institutions by:

  • Increasing awareness of cyber threats;
  • Impeding threat propagation;
  • Bolstering defense capabilities;
  • Improving threat detection techniques; and
  • Devising effective strategies for mitigating and responding to threats.

Fines and Sanctions

DORA does not detail specific fines or sanctions for non-compliance. However, EU member states are required to establish effective, proportionate and dissuasive penalties. These may include fines, administrative sanctions or other measures, and will reflect the current implementations of DORA-related laws by each respective EU country. The respective national authorities will also see to compliance oversight and enforce the regulation as they see fit.

Organizations found to be in non-compliance may face legal and financial implications, including:

  • Fines and other administrative sanctions by EU member states;
  • Reputational damage, leading to loss of customer trust and potential legal action from those impacted; and
  • Regulatory action from national authorities responsible for enforcing DORA, including investigations, audits and orders for remedial actions.

Getting Ready for DORA: Initial Key Actions

DORA will have a major impact on entities falling within its scope. Qualifying financial institutions, their counterparts and ICT TPPs will need to make a significant effort to ensure timely compliance.

An assessment of the workforce and human capital data should also be considered an important element of any operational risk review and process improvement exercise. Human capital data provides excellent insights from a range of important considerations including creating the optimal pay and incentives for key employees, identifying areas where staff are less engaged and attracting and retaining the best talent in a very competitive environment.

Financial service entities should begin now. The time needed to enact the required standards across the entire organization — including all underlying entities — should not be underestimated, considering the need to:

  • Engage a diverse set of stakeholders;
  • Secure sufficient investment to implement the necessary capabilities; and
  • Balance implementation alongside existing technology work.

We recommend organizations take at least two initial key actions:

  • 1. Assess

    Perform a readiness assessment and gap analysis to determine the extent to which your organization is already in compliance with DORA requirements and the upcoming technical standards.

  • 2. Mitigate

    To achieve compliance cost-effectively, leverage current activities and accelerate the DORA compliance items already in progress, such as:

    • (Re)designing your ICT risk management framework and operating model;
    • Planning and executing operational resilience testing;
    • Accelerating your third-party risk management efforts; and
    • Adjusting your current information sharing arrangements.

As part of what Aon calls the “Cyber Loop” to describe the journey towards good risk management, additional steps might include:

  • Harnessing meaningful cyber risk transfer solutions;
  • Considering how your business will respond and recover in the wake of a cyber event, and effectively quantify impact; and
  • Managing third party and insurance claims.

How Aon Can Help

Our multidisciplinary Cyber Solutions teams bring a wealth of experience in technology, cyber security, regulatory compliance and ICT risk management to help you strengthen your operational resilience and make better decisions. They work seamlessly with our team of financial service experts to deliver integrated solutions that help you achieve compliance with DORA.

General Disclaimer

This document is not intended to address any specific situation or to provide legal, regulatory, financial, or other advice. While care has been taken in the production of this document, Aon does not warrant, represent or guarantee the accuracy, adequacy, completeness or fitness for any purpose of the document or any part of it and can accept no liability for any loss incurred in any way by any person who may rely on it. Any recipient shall be responsible for the use to which it puts this document. This document has been compiled using information available to us up to its date of publication and is subject to any qualifications made in the document.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner