EU DIGITAL OPERATIONAL RESILIENCE ACT

Digital Operational Resilience means the ability of a Financial Entity to build, assure and review its operational integrity from a technological perspective by ensuring directly or through the use of services of ICT Third-party providers, the full range of ICT-related capabilities needed to address the security of the network and information systems.

Financial regulators in Europe focus much more now on the operational resilience of the financial system. A lot of it is driven by better awareness of the risks that arise from the adoption of digital technologies and the inter-connectedness of third parties. However, operational resilience is a much wider area than outlined in the definition above. And it requires a broader way of thinking about the way the financial sector plans for and responds to a variety of non-financial events. It requires the firms, inter alia, to consider how various disruptions might endanger their viability, harm their customers, counterparties, shareholders, and have knock-on effect on the stability of the broader financial system.

Events of recent past have demonstrated a clear link between the way financial entities conduct their operational resilience and their ability to maintain the confidence of their customers, shareholders and broader financial market participants. Resilience to often unexpected and severe operational threats is being recognized by financial entities’ management and the regulators as a clear positive.

New EU DORA regulation harmonises current legislation and supplements existing gaps which improves functioning of the internal market for financial services. It establishes a unified digital framework whereby firms adapt to and able to endure and mitigate better all types of ICT-related disruptions and threats. It sets out several objectives “to increase the collective digital resilience of the financial sector including ICT vulnerability management, ICT risk management and ICT third party risk, exchange of ICT threat intelligence and streamlining the approach to regulatory reporting”.

DORA is much broader than previous EU regulations and as such a wider range of entities from large and complex organisations to small and simple businesses may have to comply with it. Some entities which are not traditionally considered regulated financial service providers are listed below:

DORA is much broader than previous EU regulations and as such, a vast range of entities from large and complex organisations to small and simple businesses may be required to comply with this regulation. Some of the types entities that are not traditionally regulated financial service providers are outlined below.

• Investment firms
• Crypto-asset service providers
• Central counterparties and securities depositories
• Trade venues and repositories
• Managers of alternative investment funds and management companies
• Data reporting service providers
• Credit rating agencies
• Crowd funding service providers
• Payment and electronic money institutions
• Insurance and reinsurance undertakings
• Institutions for occupational retirement pensions
• ICT third-party service providers

From the implementation point of view, organisations should expect a significant effort and timely projects, broadly split as follows:

1. Governance and Definition of all processes to compliance – 1 to 3 months
2. Risk Management Framework including all risks assessment and action plan to address gaps – 2 to 6 months
3. Third-party Risk Management Framework including identification of critical service providers and legal contracts renegotiation – 1 to 3 months
4. Regulatory Testing of all applicable scenarios – 2 to 6 months
5. Processes improvements, resources and capabilities building – 3 – 6 months

All of the above depends on company commitments, available resources, and participation from third-party suppliers facing multiple other clients, including your organisation's competitors.

Based on experience with various financial organisations across Europe, DORA Consultancy can confirm that most organisations do not fully understand the implications of regulatory requirements and the magnitude of required changes. The typical challenge is that a financial organisation considers DORA as another compliance checklist. However, the reality is that many external dependencies and much more detailed processes that have unlikely been managed so far are needed.

We believe that consistency in addressing digital operational risks contributes to enhancing confidence in the financial system and preserves its stability.

Additional resources