16 December 2024
What is Digital Operational Resilience Act (DORA)
DORA is the EU-led operational resilience regulation for financial services institutions. The act introduced uniform principles for managing operational resilience risks, streamlining the reporting of cyber incidents, and supervising third parties. It covers various aspects of ICT risk management, including digital operational resilience testing and the oversight of Critical Third-Party Providers (CTPs).
It will apply to an estimated 22,000 firms and forms part of a wider EU Digital Finance package. It is also aligned to operational resilience frameworks in the UK.
Type 1 assessment – ICT supplier alignment
An assessment of supplier cyber controls aligned to the five DORA pillars, with an external advisory report provided for your Financial Institution (FI) customers. This is suitable for small to medium-sized ICT suppliers.
Type 2 assessment – critical ICT supplier
For ICT suppliers designated as “critical” by a regulator, we can support with an assessment of current posture against additional requirements, including supplier contract reviews and intelligence-led penetration testing.
Type 3 assessment – full FI regulatory assurance and review
- Review and remediation with regulatory technical standards and implementing technical standards.
- Coordination with applicable regulator.
- Specialist cyber security services, including incident simulation and intelligence-led penetration testing.
How we can support ICT suppliers
Overview
Financial institutions and regulators are asking ICT suppliers to align with DORA. The European Supervisory Authorities (ESAs) are collaborating with national regulators to create a database of ICT suppliers. In the UK, His Majesty’s Treasury (HMT) can designate CTPs under the Financial Services and Markets (FSM) Bill. Firms designated as 'critical' subject to DORA must submit their ICT supplier registers by 31 March 2025.
Critical third-party providers designation
The ESAs and, if applicable, the UK financial services regulator, will evaluate these registers to identify and designate critical ICT suppliers. Notifications will be sent to any ICT suppliers deemed critical. This assessment is expected to be an annual exercise, ensuring ongoing compliance and resilience in the financial sector.
Implications for organisations
Organisations designated as critical under DORA must:
- Assess their additional obligations and enhanced supervisory requirements.
- Review and update contractual arrangements with ICT suppliers.
- Implement necessary measures to ensure compliance with DORA’s requirements.
Key requirements for ICT suppliers
Organisations not designated as critical under DORA but identified as key ICT suppliers, with customers undergoing DORA compliance, can undergo an RSM-tailored IT controls and processes assessment to demonstrate ICT supplier confidence to their customers. Suppliers should:
- Assess IT security controls’ operational and design effectiveness against the five DORA pillars.
- Remediate any technical gaps and processes.
- Continue testing based on emerging DORA updates.
Subject to assessment, we can provide external reports, which can be shared with customers and suppliers to demonstrate DORA alignment and confidence.
Supplier risk can originate from large and small organisations
The growing dependence of financial institutions on a number of third-party service suppliers has created concentration risk in the market.
Suppliers, regardless of reach or size within the financial services market, pose a risk to their customers.
Five DORA pillars
ICT risk management
The supplier takes a risk-led approach to cyber security, running processes for identifying, assessing, and treating risks and controls to protect data and systems. The supplier has expected/baseline cyber security and IT risk controls in place that support the requirements from the DORA pillars.
ICT-related incident management, classification and reporting
Suppliers should have and test incident management processes for reporting and managing incidents that could impact FI client operations, including internal and third-party incidents affecting the supplier.
Digital operational resilience testing
Suppliers must perform annual penetration testing of their key services to financial institutions.
ICT third-party risk management
Suppliers must have a proactive and risk-based approach to third-party vendor risk management. Suppliers must identify and assess the criticality of their third-party vendors, conduct due diligence, and continuously monitor and oversee them.
Information sharing
The final resilience pillar relates to information sharing, requesting that suppliers outline strategies for sharing threat intelligence and exchanging information securely within trusted communities.
How we can help
We are actively supporting ICT suppliers operating in the EU and Nordic regions with gaining DORA confidence through security control assessments.
For further information, please contact Sheila Pancholi, Riza Unal or Neville Manekshaw.