Ensuring compliance with DORA
The European Union Council has formally adopted the Digital Operational Resilience Act (DORA), a regulation introduced to ensure that digital infrastructure, including the systems and networks that underpin critical services in the financial sector, is secure and resilient against potential threats.
Objectives of DORA
The objective of DORA is to improve the cybersecurity and operational resilience of all regulated European financial institutions and of crucial third parties that provide these institutions with ICT-related services. While cyberattacks cannot be avoided, financial stability in Europe can still be achieved if organizations mitigate the impact of cyber threats on Information and Communication Technology (ICT).
Who is responsible?
Overall responsibility for this framework, and other governance obligations imposed by DORA, will rest on the firm’s management, which will be responsible for reviewing, approving, implementing and updating the risk management framework. This will require management to have full awareness and understanding of the financial institution’s ICT usage, services and risk profile.
Firms may wish to revisit the manner in which reporting lines from their ICT teams into senior management function in practice. The financial institutions that are subject to DORA must appoint a senior executive responsible for digital operational resilience and report incidents to the appropriate authorities.
Although end of 2024 seems far away, compliance can be challenging and time-consuming for these organizations. Compliance will be ensured by the entity’s competent authority. EU Member States will have the right to impose penalties for breach of obligations.
Achieving compliance with DORA
Achieving compliance with the onerous DORA obligations within the stipulated timeframe will be challenging and time-consuming. While DORA allows a transition period until 17 January 2025, we recommend that in-scope organizations kick-off preparations immediately.
We recommend adopting a phased approach whereby the in-scope entities chart a DORA Compliance Program with the aim of achieving DORA compliance by the end of the transition period. Failure to achieve compliance may lead to severe fines from January 2025 onwards.