Site Search

Menu

Services

Menu

Strategy&

Featured

Rethink Risk

Business in focus

Transformation

Loading Results

Digital Operational Resilience Act

DORA and its impact on UK financial entities and ICT service providers
building detail

The Digital Operational Resilience Act (DORA) is a new European framework that focuses on embedding a more robust and resilient approach to delivering digital capabilities for financial entities.  

DORA: Why it is relevant to you

The framework shifts the focus from guaranteeing firms’ financial soundness to also ensuring they can maintain resilient operations through severe operational disruption caused by cyber security and information and communication technology (ICT) issues.

By introducing a single consistent supervisory approach across a wide range of financial market participants, including credit institutions, payment institutions, account information service providers, electronic money institutions, investment firms, insurance companies, crypto-asset service providers, exchanges and clearing houses, alternative fund managers, pension, credit rating agencies, etc., DORA ensures convergence and harmonisation of security and resilience practices across firms operating in the European Union (EU).

Why is DORA relevant?

DORA applies to more than 22,000 financial entities and ICT service providers operating within the EU, as well as the ICT infrastructure supporting them from outside the EU. The regulation introduces specific and prescriptive requirements for all financial market participants.

DORA builds on previous industry-specific guidelines to define requirements around consistent ICT risk management; comprehensive resilience testing capabilities (including threat-led penetration testing); and third party risk management, ensuring a consistent provision of services across the entire value chain.

The five key topics at the centre of DORA are: ICT Risk Management;ICT-related Incident Management, Classification & Reporting; Digital Operational Resilience Testing; ICT Third Party Risk Management; and Information Sharing Arrangements.

The regulation is unique in introducing a Union-wide Oversight Framework on critical ICT third-party providers, as designated by the European Supervisory Authorities (ESAs).  

When will DORA be enforced?

DORA entered into force on 16th January 2023. With an implementation period of two years, financial entities will be expected to be compliant with the regulation by early 2025.

Draft

On 24th September 2020, the European Commission published its draft Digital Operational Resilience Act (DORA) as part of the Digital Finance Package (DFP).  

Reaching an Agreement

Following the publication of the European Parliament and Council's proposals for DORA, the co-legislators held political and technical discussions throughout H1 2022.
The European Council adopted DORA on 28th November 2022, after the European Parliament voted in favour of the act on 10th November 2022.

Entered into Force

DORA entered into force on 16th January 2023. We expect the first regulatory and implementing technical standards (RTS and ITS) to be developed by the European Supervisory Authorities (ESAs).

Regulatory Technical Standards (RTS) & Implementing Technical Standards (ITS)

Multiple regulatory and implementing technical standards are defined and issued by the ESAs. They will provide entities with specifications and guidance on how to implement specific DORA requirements.  

Enforcement

DORA requirements are enforceable 24 months after entry into force. Therefore, financial entities will be expected to be compliant with DORA by early 2025.

Our view on DORA for UK entities

Given the broad scope of DORA, it addresses many topics that already apply to Financial Services firms operating in the EU and the United Kingdom, while being more prescriptive around ICT and cyber resilience than current UK operational resilience regulation.

UK entities will need to act quickly to determine if they fall in scope of DORA, based on the broad range of financial markets activities included and whether those take place within EU jurisdictions.

Even for those entities that are familiar with financial markets resilience regulation, certain capabilities such as more detailed operational resilience testing around ICT (particularly threat-led penetration testing) and threat intelligence sharing require attention, while other areas (such as third party risk management) need to be carefully aligned with existing and emerging UK regulatory requirements.

Our recommendation for all UK entities in scope is therefore regardless of where your entity is in terms of the maturity of digital and operational resilience, DORA should be a trigger for creating alignment between other programmes the organisation has running (e.g. Operational Resilience, Third Party Risk Management, Technology Risk Remediation, Cloud Transformation and Cyber Transformation), and identifying what the additional requirements to be addressed are. As a starting point, organisations should perform an initial gap analysis and maturity assessment of the DORA requirements, to inform any reshaping of that programme - or other ICT and cyber resilience activities within the organisation.

DORA – So what?

We view DORA simultaneously as a challenge and opportunity for financial entities and their critical ICT providers. The EU-wide uniform requirements of DORA mean that financial entities need to ensure they can manage a consistent maturity level of ICT and cyber resilience across all their EU operations.

With a two year readiness period, there is a lot that needs to be considered, implemented, and demonstrated. Starting right now, financial institutions will want to conduct comprehensive gap assessments to evaluate their respective maturity against DORA and identify any areas that require further investment and prioritisation. This will put organisations in a better position to address more complex requirements such as third party risk management, advanced technology resilience testing (including threat-led penetration testing), incident reporting and threat intelligence.

We see DORA as a significant change for entities within ESMA or EIOPA supervision, but also for banks which have already had to comply with existing EBA guidelines on banking supervision. DORA also extends its scope to include other stakeholders in the financial sector, which so far have not been subject to extensive ICT security regulation, e.g. crypto-asset service providers, intermediaries managers of alternative investment funds, crowdfunding service providers, cloud-service providers and ICT third-party service providers.

Given the strong focus on third party risk management, entities are expected to satisfy themselves of a third party’s resilience which will require close interaction and joint efforts with their critical ICT third-party service providers, especially where they support the delivery of an important business service. DORA also requires that a number of contractual obligations be inserted into the contracts of the financial entities for procuring ICT services and products. This will apply to existing in-scope contracts, which will need to be collated, reviewed and amended to ensure compliance, and any new in-scope contracts will also need to include such obligations. More details on implementing DORA contractual requirements

I have an in-flight Operational Resilience program, how does DORA impact that or what can I leverage?

Operational Resilience regulation and DORA seek to drive specific and often complementary outcomes. As a result, a number of common elements exist between the UK Operational Resilience regulation and DORA. Some examples are outlined below:

  • Identification of Important Business Services (IBSs): UK firms should already know what their most important business services are, and since DORA mandates an understanding of your critical or important functions supported by ICT then this can take firms some way to addressing this requirement.
  • Mapping of dependencies - Since firms’ IBSs are likely to depend on a number of ICT services, either provided internally to your firm or by third parties, then the mapping undertaken for operational resilience is likely to already capture some of this information.
  • Scenario testing - DORA puts in place some quite specific requirements for ICT services, however your firm's defined testing approach for demonstrating resilience could assist in informing a DORA testing programme.

It will also be important to consider how the ongoing sustainability of your approach to Operational Resilience will be delivered as there may be opportunities for tools or technology platforms to be leveraged for the purposes of DORA too.

The full DORA regulation does however need to be understood by individual firms in order to allow determination of where their existing Operational Resilience journey can fulfil specific requirements.

What does DORA mean for ICT Service Providers?

DORA raises the bar for ICT service providers designated as ‘Critical’ by ESAs, bringing them under the direct scrutiny of regulators.They will need to perform a comprehensive assessment of their obligations under DORA. Contractual changes to align with DORA requirements may prove challenging - such as terms around ‘unrestricted rights of access’ and obligations to ‘fully cooperate during onsite inspections and audits performed by… competent authorities’.

DORA sets the regulatory focus on 5 key pillars

ICT Risk Management

Financial entities are required to set up a comprehensive ICT risk management framework, including:

  • Set-up and maintain resilient ICT systems and tools that minimise the impact of ICT risk.
  • Identify, classify and document critical or important functions and assets
  • Continuously monitor all sources of ICT risks in order to establish protection and prevention measures
  • Establish prompt detection of anomalous activities
  • Put in place dedicated and comprehensive business continuity policies and disaster and recovery plans, including yearly testing of the plans, covering all supporting functions
  • Establish mechanisms to learn and evolve both from external events as well as the entity’s own ICT incidents

ICT-related Incident Management, Classification & Reporting

Financial entities are required to:

  • Develop a streamlined process to log/classify all ICT incidents and determine major incidents according to the criteria detailed in the regulation and further specified by the European Supervisory Authorities (EBA, EIOPA and ESMA)
  • Submit an initial, intermediate and final report on ICT-related incidents
  • Harmonise the reporting of ICT-related incidents through standard templates as developed by the ESAs

These requirements also apply to operational or security payment-related incidents and to major operational or security payment-related incidents, where they concern credit institutions, payment institutions, account information service providers, and electronic money institutions.

Digital Operational Resilience Testing

The regulation requires all entities to:

  • Annually perform basic ICT testing of ICT tools and systems
  • Identify, mitigate and promptly eliminate any weaknesses, deficiencies or gaps with the implementation of counteractive measures
  • Periodically perform advanced Threat-Led Penetration Testing (TLPT) for ICT services which impact critical functions. ICT third-party service providers are required to participate and fully cooperate in the testing activities  

ICT Third Party Risk Management

Financial entities are required to:

  • Ensure sound monitoring of risks emanating from the reliance on ICT third-party providers
  • Harmonise key elements of the service and relationship with ICT third-party providers to enable a ‘complete’ monitoring approach
  • Report their complete register of outsourced activities, including intra-group services and any changes to the outsourcing of critical services to ICT third party service providers
  • Critical ICT third-party service providers will be subject to a Union Oversight Framework, which can issue recommendations on the mitigation of identified ICT risks. Financial entities must consider the ICT third-party risks of service providers who do not follow the defined recommendations.
  • Take account of the risks of IT concentration and risks arising from sub-outsourcing activities
  • Ensure that all contracts with the ICT third-party providers contain the mandatory clauses specified by DORA (including by remediation of the existing contracts). Such clauses need to include all necessary monitoring and accessibility details such as a full-service level description, indication of locations where data is being processed, etc. More details on implementing DORA contractual requirements

Information-sharing Arrangements

  • The regulation allows financial entities to establish arrangements amongst themselves to exchange cyber threat information and intelligence.
  • The supervisory authority will provide relevant anonymised information and intelligence on cyber threats to financial entities. Therefore, entities should implement mechanisms to review and take action on the information shared by the authorities.

Why work with us?

PwC has the expertise and capabilities to support you on your journey to manage all of DORA’s regulatory requirements and enable you to achieve your organisation’s resilience objectives. We can leverage our extensive experience supporting clients with complying with the UK regulatory requirements on operational resilience (introduced in 2021 by the Bank of England, FCA and PRA) and EBA/PRA guidelines on outsourcing, which provides us with unique insights into the similarities and relationship with DORA’s requirements.

Our global network of industry experts can work with your technology risk function and existing operational resilience, cyber security, and third party risk management programmes, as well as your in-house legal teams, to address any gaps in your digital and operational resilience maturity.

Contact us

Vanessa Tufnell

Vanessa Tufnell

Director, Cyber Security, PwC United Kingdom

Tel: +44 (0)7483 316544

Linkedin Follow Email
Duncan Scott

Duncan Scott

Operational Resilience Leader - Banking, PwC United Kingdom

Tel: +44 (0)7894 393607

Linkedin Follow Email
Danny Chamings

Danny Chamings

Director, Financial Services Technology Governance, Risk and Control, PwC United Kingdom

Tel: +44 (0)7967 490435

Email
Charles Rodger

Charles Rodger

Director, Assurance & Risk Management, PwC United Kingdom

Tel: +44 (0)7725 633265

Linkedin Follow Email
Follow us
Audit Consulting Deals Risk Tax Industries About us Offices Media centre Careers Alumni Sitemap

© 2015 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.