At a glance:
- The EU’s Digital Operational Resilience Act (the DORA) has been ratified by EU legislators and will start applying 24 months after its expected entry into force on 1 January 2023.
- FS firms will face challenges in delivering on DORA’s immediate implementation demands but they should also prepare themselves for its broader strategic implications.
- The new obligations will require a mindset shift from Boards, who will be tasked with strengthening their firm’s resilience to unexpected digital disruptions in a dynamic way that constantly responds to the evolution of threats and vulnerabilities.
- The immediate and ongoing obligations established by the DORA mean that Boards and CxOs of FS firms will have to play an important role in leading their firms’ response to its implementation and taking the investment decisions necessary in order to build their firms’ resilience.
Relevant to: Board members, Non-Executive Directors, CEOs, CFOs, CROs.
The DORA, the EU’s flagship initiative on digital operational and cyber resilience in the FS sector, has now been ratified by EU legislators. It will introduce a unified regulatory and supervisory rulebook for ICT operational resilience in the financial sector, pushing FS firms to make substantial investments to improve their resilience to digital and cyber risk disruptions.
All components of the DORA must be implemented 24 months after its entry-into-force. This will occur 20 days after the DORA is published in the EU Official Journal later this year, meaning that we expect firms to have to implement the DORA by the very beginning of 2025.
A detailed technical agreement on the content of the DORA was reached by negotiators over the summer. For our analysis of that deal across the DORA’s ‘Five pillars’, read our July 2022 blog here.
This blog explores five strategic implications that the leadership of financial services firms will need to understand as the DORA is implemented and put into practice by the FS sector and its supervisors.
Strategic implications for FS firms arising from the DORA
1. The concept of ‘operational resilience’ will mean a mindset shift for firms: The DORA brings an operational resilience view to the EU FS regulatory framework for the first time, replacing the previous patchwork of cyber and IT risk-focused guidelines with a new holistic approach to building resilience against digital disruptions. This is about more than just a change in terminology – operational resilience goes beyond the traditional risk management approaches used by cyber, IT risk and business continuity functions. It pushes firms to assume that severe disruptions are unavoidable (not matter how strong a firm’s defences are) and to build a higher level of resilience to such disruptions into the operating model of their most important services or functions. This will lead to an ongoing dialogue between firms and authorities that still needs to be elaborated by EU financial supervisors now that the DORA legislation has been finalised.
The development of this approach in the UK (which implemented its operational resilience framework in March 2022) has meant that firms have had to set high benchmarks for their future resilience that will require substantial investments in order to meet. The UK example has also demonstrated that there will be a greater need for cross-sectoral collaboration on common resilience vulnerabilities that cannot be sufficiently addressed at the firm-level. Here, the sector will need to show initiative on developing methods to address third party concentration risks, third party testing practices, and the sharing of real time threat intelligence.
2. Executive accountability for operational resilience has been strengthened: The DORA establishes responsibility for a firm’s operational resilience at the Board and CxO-level, and senior management will need to take a leading role in the implementation of the DORA’s most important components. In more practical terms, board members and senior executives will have to sign off on a set of key plans, such as the firms’ digital operational resilience strategy and its policy on ICT Third Parties (TPs). Furthermore, senior leaders will also be responsible for making the operating model decisions necessary to embed the DORA’s requirements into firms’ daily operations, such as setting risk tolerance levels and deciding how to prioritise remediation actions in order to address operational vulnerabilities that are identified.
Although the supervisory expectations for Boards will only fully emerge later, the DORA’s components that require sign-off point to a significant additional oversight that will likely demand further skills and resources for most Boards. The DORA’s implementation will make it increasingly critical for Boards and CxOs to demonstrate to supervisors that their firms are resilient to firm-specific threats as well as broader sectoral threats. They will need to have a good understanding of the firm’s readiness to cope with potential ICT disruptions while maintaining continuity of services. They will need to demonstrate that: they have made the right management decisions; properly reviewed and challenged resilience plans and consequently strengthened the firms resilience. Regular management information on threats and vulnerabilities emanating from the external environment will need to be factored into the overall resilience of the firm in a dynamic manner.
3. Continuous obligations will drive firms’ actions beyond the implementation period: The 24-month implementation period will challenge most FS firms, including large and sophisticated ones in areas such as advanced testing, incident reporting, and business impact analysis. Nevertheless, the DORA also establishes an ongoing way of managing resilience in FS firms based on constant review that will have long-term implications. For instance, FS firms will have to carry out ongoing resilience testing and continuously evaluate risks and the appropriateness of their resilience plans. They will also be required to continuously gather threat intelligence in order to comply with the new threat and incident reporting obligation as well as to elaborate their own risk scenarios. The DORA requires firms to identify Critical or Important Functions (CIFs) as a focal point for the work they must do to build their resilience, particularly when it comes to threat identification and scenario testing.
The key idea here is that achieving “good” operational resilience will be an ongoing regulatory obligation that will constantly change as threats and vulnerabilities keep evolving. By investing in strategic capabilities, such as threat intelligence and resilience testing, Boards and CxOs will be better equipped not only to understand how the scenarios against which they must build their resilience may affect their firm’s critical functions and lead to further downstream impacts, but also what investments it will take to achieve a sufficient level of preparedness. Moreover, strategic capabilities of this kind will also be crucial in better responding to unforeseen disruptions, as Boards and CxOs will have developed a deeper and more detailed understanding of their firm’s core structure and functioning.
4. Firms’ outsourcing strategies are likely to be affected: addressing third-party vulnerabilities is already the top challenge in strengthening operational resilience for UK firms (which are further ahead in the operational resilience journey). The DORA introduces the world’s first Critical Third Party (CTP) oversight framework, expanding the scope of the FS regulatory perimeter and granting the European Supervisory Authorities (ESAs) substantial new powers to supervise CTPs and address resilience risks they might pose to the FS sector. Nevertheless, EU regulators have been clear that this does not detract from any of the individual responsibilities of FS firm in terms of outsourcing. Indeed, the DORA imposes several new third-party risk management requirements on FS firms that will be even stricter if the TPs support the delivery of a firm’s CIFs. This may become particularly important for FinTechs / digital-native firms, whose reliance on certain digital platforms may leave them more exposed to ICT third party risk and invite greater supervisory scrutiny of that risk.
Firms should also pay particular attention to the DORA’s required concentration risk assessments. Vulnerabilities that may be identified from those assessments – such as overreliance on a single TP provider or the criticality of serviced functions – may expose FS firms to enhanced scrutiny from their supervisors. In turn, this may put pressure on Boards to review their strategic decisions around who to partner with, their risk appetite for entering into third party relationships, and the role that they should ask risk and procurement functions to play in reflecting this risk appetite in the firm’s operating models. Boards may also consider addressing identified concentration risks by resorting to remedies such as adopting a multi-vendor strategy.
5. Op Resilience must now shape executive-level investment decisions: Building operational resilience into a firm requires embedding it as a key driver of business and operating model design decisions. More specifically, FS firms will be tasked to set their desired level of resilience as part of the development of the DORA’s required digital operational resilience strategy – forcing top management to become more proactive drivers of risk and resilience decisions. This means that Boards and CxOs will need to both understand the business case for investing in resilience capabilities and be able to articulate how up-front costs are balanced out by having a more resilient operating model that stands up to increasing regulatory scrutiny over time. To make this practical, Boards and CxOs should prioritise areas that are likely to be high on supervisors’ agendas during the DORA’s implementation, such as requirements that demand regular outputs that can be challenged by supervisors (e.g., the selection of CIFs, business impact analyses, resilience testing practices, outputs from the incident reporting framework).
Management should be mindful of how supervisors might interpret the DORA’s proportionality principle. Larger firms are more likely to have more advanced capabilities in certain areas (e.g., resilience testing), but they will also be subject to a much higher level of scrutiny given the potential systemic importance of their key services. Smaller firms may conversely benefit from less stringent requirements (e.g., not being required to undertake advanced TLPT testing, using the DORA’s simplified ICT risk management framework, etc.) but may still face a significant investment demand to build the capabilities needed to comply with parts of the Regulation that apply broadly, such as the ICT incident reporting requirement and third-party risk management provisions.
The DORA will not be a “one-off” compliance exercise but will instead push firms to remain resilient in an ever-changing threat landscape and an ever more complex technological environment.
Although a significant amount of the DORA’s secondary rulemaking still needs to be done by the ESAs in the next 24 months and EU financial supervisors have to clarify the expectations around resilience that they will set for firms, it is already clear that Boards and CxOs are expected to play an important role in building resilience and in assuming a greater share of the responsibility for the key decisions that now need to be made as the DORA proceeds towards implementation. It will be important to set a strong “tone from the top” around firms’ commitment to building operational resilience – a signal that regulators, investors, and other stakeholders will take note of as operational threats in the FS sector grow.