The final version of the Digital Operational Resilience Act (DORA) may not be out yet but firms can start planning compliance programs now. In a Q&A with DerivSource, Alexandre Vandeput, Principal Consultant at Capco Belgium, offers a quick view on this upcoming EU regulation which will require financial institutions of various types to up their game in digital operational resilience processes.
Q. Can you offer a quick overview of DORA, it’s aim and current status within the EU legislative process? When is the final version expected?
A. DORA, or the Digital Operational Resilience Act, is part of the EU Digital Finance Package which aims to create the necessary conditions to foster innovation and competition in financial services in the European region while mitigating the associated risks. DORA seeks to strengthen financial institutions’ resilience in cases of stress, and accordingly wants to ensure that all ICT risks arising from digitalization are properly mitigated. As such, this regulation will be applied to banks and insurance firms, as well as to critical third-party service providers such as cloud providers.
DORA is set to be translated into a regulation that will focus on five key pillars:
- ICT risk management framework
- Incident management framework
- Digital resilience testing
- ICT third-party risk
- Governance & information sharing.
The draft law for DORA was published in September 2020 by the European Commission, and must now be submitted to the European Parliament for review and approval. At the time of writing, there is no confirmation on a projected enactment date, although the regulation will have to be enforced by member states within 12 months of enactment. Firms will then have up to 36 months post enactment date to comply with Articles 23 and 24, which address operational resilience testing.
Q. DORA will impact a wide range of financial institutions as well as non-regulated third-party service providers in the ICT space. Will this new regulation impact all of the above firms equally? Is it a financial institution’s responsibility to monitor and verify that their ICT third-party providers are compliant?
A. The principle of proportionality applies to this regulation, meaning that the scope and intensity of the measures that firms will need to implement to ensure compliance will be proportionate to (a) the degree to which any disruption of their services will impact on the overall economy and (b) the overall business and risk profile of the financial entity. This means that a major banking player or cloud provider will have to implement (more significant and by extension costly) risk mitigation measures that reflect their size and business profile.
Companies that have outsourced activities will remain clearly accountable for those services provided by a third-party. So a financial institution that outsources a service to a third-party will have to ensure suitable recovery processes are in place in the event of unforeseen services outages, for example. This is a cornerstone principle in respect of outsourcing: the recipient of a service must at all times guarantee that it controls any tasks and services provided by an external service provider and is ultimately accountable for the delivery of that service.
Q. Can you outline the main pillars of this regulation? Which pillar is likely to require the most preparation amongst firms?
A. Certainly, digital operational testing is a key requirement. This will require firms to coordinate broad testing programmes with critical third parties; for cross-border entities, this will inevitably require significant coordination efforts and alignment. Above all, there are still some uncertainties on the Regulatory Technical Standards (RTS) that the EU will impose to deliver those, so we do not know what are going to be the precise impacts on financial institutions current ways of working.
One very new – and impactful – requirement will apply to key third-parties themselves. In effect large cloud providers, for example, will need to comply with the very same rules as their financial services clients. This represents something radically new for such providers in terms of transparency, collaboration and openness with regulators.
On the ICT risk management framework side, there will be a very tangible uplift in terms of digital resilience strategy. The main impacts will be around setting risk tolerance for ICT risks, the definition of multi-vendor strategies and the rationale behind procurement mix, and the setting out of clear information security objectives.
A perhaps less significant pillar relates to incident reporting, as the European Union Agency for Cybersecurity (ENISA) has already put such guidelines in place, with which some institutions already in compliance.
Q. Can you share the main 3 steps you think firms should be taking now or in Q1 2022 to get their compliance programs underway early? How long might a compliance program take? How do you see Capco supporting firms in their compliance programs?
A. Financial institutions should ideally already be actively working on three areas :
- They should conduct maturity assessments in order to identify gaps and draft mitigations plans against DORA requirements
- They need to leverage the work done to comply with the previously enforced EBA guidelines on outsourcing to deliver a register of all outsourcing arrangements
- They should start working on different testing scenarios – including vulnerability tests, physical security reviews, penetration testing, etc. – to raise the maturity level of their teams in respect of transversal security management.
In terms of timelines, those programs intended to implement regulatory, process, technical and people changes can take from 12 months to 36 months to complete, depending on the scope of activities and business profile of the company. To help speed that process, firms should look to conduct maturity assessments, gap analyses and benchmarking – and also implement the changes up through the compliance and remediation stages to ensure there is clear alignment between business and IT objectives.
Q. Do you think DORA will be a huge focus for 2022 or is this more a 2023 regulation?
A. A mix, depending on the firm. At Capco we are certainly already receiving RFPs related to DORA, but we also see firms that are taking a ‘wait and see’ approach. The regulatory burden has substantially increased in recent years, but it is also clear that unpredictable events – as COVID has demonstrated – can have huge impacts on the operational resilience of the financial sector as a whole if effective mitigation measures are not in place. So our view is it is better to be safe than sorry, and to be an early mover rather than being late to the DORA party.
Capco, a Wipro company, is a global technology and management consultancy specializing in driving digital transformation in the financial services industry.