Preparing for DORA

The Digital Operational Resilience Act (DORA) will enter into force on the 17th January 2025. After this point, banks, other financial institutions, and all organisations providing services and products in the financial sector in the EU will be required by law to adhere to the regulation.

This includes explicit rules around areas including incident reporting, ICT risk management, operational resilience testing and ICT third party risk monitoring. Operational resilience in particular, or rather a lack of, has been specifically acknowledged as having the potential to put the whole financial system at risk in the context of a serious incident.

Why should the UK take note?

While the fundamental goal of DORA is to apply a set of uniform requirements for the security of the IT infrastructure of companies and organisations in the financial sector across the EU, critically it also applies to any third parties providing ICT related services to them. This could include data analytics or cloud provision services for example.

As a result, all firms will need to ensure that they can mitigate, respond to and recover from the myriad of potential IT related disruptions and threats they could face. This encompasses the entire financial sector from asset management, credit, crypto-asset service providers, banking and insurance to investment firms.

How can firms best prepare?

Traditionally, the capabilities of financial institutions to detect, respond, recover and protect themselves from breaches, cyber-attacks, data compromise and other serious IT incidents has varied substantially from organisation to organisation.

A key area organisations may want to consider exploring as they embark on their preparations to meeting compliance with DORA is to ensure they are armed with the necessary skills and capabilities. There are a number of avenues to explore here, including:

• Regular training - financial organisations will need to implement a programme of regular training, not only for staff specifically responsible for IT and security, but also the board/management team. IT security and best practice should be embedded as a compulsory part of all staff training, including senior management. There are a number of training exercises that may prove valuable to help with this, including threat hunting, capture-the-flag and live-fire.

• Resilience testing - establishment of a digital operational resilience testing programme is a key requirement as part of DORA. This programme will vary in terms of its scale and complexity depending on the organisation’s risk profile, size and nature of business. However, all financial firms will need to ensure their IT systems and applications are tested at a minimum of once a year by an independent party. Furthermore, more advanced threat-led penetration testing (also known as red/purple team assessment) has to be carried out at least every three years.

Time to act

While 2025 may seem like a long away, the reality is that taking the necessary steps to ensure compliance with DORA needs to start happening now. Any organisation operating in or providing IT related services to the financial sector within the EU should start strategically and operationally planning before it is too late. It is also vital to be aware that while DORA officially comes into force on the 17th January 2025, the regulation will start to apply from late 2024, which is less than 18 months from now.