The Digital Operational Resilience Act is Finalized – Now is the Time to Act

Posted on: August 18, 2022
Author: Lauren Kornutick

Low angle view of architectural columnsOperational resilience is not just another buzzword. It is top of mind for business leaders and regulators around the world. Resilience enables agility when confronted by the chaos of our present world, and it protects against the disruption of critical customerfacing operations. Being resilient requires a culture where everyone in the organization participates to protect against things such as: obligations to meet your customers contractual requirements, compliance violations from emerging regulations and new legal requirements, reputational damage from a scandal or crisis, or (worst-case scenario) an economic meltdown.  

At its core, the concept of operational compliance is the minimum standard designed to keep an organization and consumers safe from disruption – but resiliency is so much more than just meeting a basic obligation. It is about creating a living, breathing culture that protects you and your customers against disruption. A key theme underpinning resiliency is regulatory pressures to extend resilience requirements that are already imposed on financial institutions into their supply chain. One such evolution on the horizon in the European Union (EU) is a proposed regulation called the Digital Operational Resilience Act (DORA). DORA is an expansion of the groundbreaking operational resilience requirements first set forth by the Bank of England, FCA, and PRA. The key difference between DORA and other resilience requirements is that its focus is on Information and Communication Technology (ICT) risk. ICT risk includes both cloudbased and non-cloudbased technology and data service providers (TSPs). 

First introduced in September 2020, a provisional agreement on DORA’s content was reached on May 11, 2022, and a full technical agreement was reached between EU negotiators. It is expected to be finalized in the October 2022 European Parliament plenary session and has an aggressive timetable of implementation and final compliance by Q4 2024. 

An Emerging Operational Resilience Standard for Data and Technology

DORA seeks to harmonize existing frameworks on digital operational resilience for financial entities in the European Union and is part of a larger digital finance package. The regulation is intended to make compliance obligations less confusing and provide greater security for consumers by creating unified standards for third-party risk monitoring, performance, and auditing.  

DORA is landmark legislation that is the first of its kind that focuses on how regulated entities manage their ICT risk. DORA will apply to 20 distinct types of existing regulated financial entities. It also expands the scope of a regulator’s reach to those critical technology and data service providers that compose the digital footprint by which the important business services stand.

The ICT vertical is largely unregulated even though it underpins nearly everything that the modern economy does. The legislative process has moved at a glacial pace to impose guardrails on the rapid advances that have been made in technology. The digital financial transformation was accelerated largely because of the pandemic and exacerbated many of the cyber threats that previously existed. As such, there is an increased focus on financial institutions protecting their critical business services against disruption, so it is a logical next step for the supervisory authorities to place the burden on operational resilience on key third parties that support the financial system 

Defining a Critical ICT

DORA’s definition of a technology and data service provider does not make a distinction between a cloud-based and non-cloud-based provider. Financial institutions and their supervisory authorities will help to define a critical TSP by undergoing a risk assessment. According to a recent update published by Deloitte, the prescriptive criteria to designate a TSP as “critical” will be set out in a Delegated Act that the European Commission is expected to finalize 18 months after DORA’s entry-into-force. However, the existing text of the legislation suggests that the following risk factors should be reviewed:  

  • The number and systemic character of financial entities that rely on the TSP  
  • The TSPs’ degree of substitutability 
  • The scale, complexity, and importance of TSP-related dependencies 
  • The criticality or importance of the services that the TSP provides subject to the contractual arrangements 
  • A risk assessment of any potential impact on the continuity and quality of financial services that are consumer facing

Enforcement of DORA

Enforcement of DORA will place a TSP under the supervisory wing of the existing European Supervisory Authority (ESA), providing a way for regulators to have direct oversight. According to the latest agreed proposal, TSPs will be required to set up a European legal entity if they do not already have one. This appears to remove some of the barriers that the European Commission has with its regulators enforcing the General Data Protection Regulation (GDPR) across borders and signals that enforcement is top of mind for the regulators.  

The ESA will be granted authority to conduct on-site and off-site inspections of the regulated entity, issue recommendations, and request financial entities to end their arrangement with the TSP if issues exist. Additionally, the ESA may directly impose fines in case of non-compliance with DORA when it goes into effect, and the individual EU member states may impose criminal penalties. As such, the consequences of non-conformance can be hefty and cause significant reputational and financial damage that could wreak havoc on a company’s bottom line.  

Building a More Resilient Ecosystem with Fusion

It is never too soon to begin understanding how a regulation like DORA affects your business and supply chain. The stakes for non-conformance with DORA can be high, and we recommend that you consult with your organization’s legal counsel to determine if the new regulatory requirements will apply to your organization. Even if the regulations do not apply to your organization, it makes good business sense to consider adopting a resilience strategy that can help you with demonstrating value to customers against competition that has not invested in such programs and may also reduce some of the pain points in the stringent cyber insurance underwriting requirements.  

Many financial institutions already have a head start on meeting stringent resilience standards since they are already directly regulated. If you are a risk and resilience leader at a TSP, below are three tips on how you can get started using your North Star for resilience to help your organization get ready for the new requirements. 

  1. Start with a risk assessment to determine how or if DORA will affect your business as a covered financial entity or TSP 
    Leverage a gap analysis to understand where your organization can strengthen current processes or add new ones to meet the range of proposed requirements for your ICT risk management framework. 
  2. Map your dependencies
    It is important to have a grasp on each of your critical products and services and what is needed to make them run, but more importantly, to understand what happens if one of those requirements becomes unavailable.In the case of DORA, we recommend placing a focus on understanding the relationship of technology and data to those important business services.
  3. Use technology to manage your ICT risk
    Risk and resilience teams are already using technology to address resiliency and compliance. These requirements may be more about repackaging things you are already doing in a way that meets the method set forth by the regulators.  

Fusion is a tool that is purpose-built to help you define a defensible operational resilience program to meet the new regulatory requirements by:  

  • Supplying real-time insight into third-party ICT risk  
  • Managing third parties as a natural extension of your crisis and incident response 
  • Leveraging key indicators to continuously track the most important risk and performance metrics  
  • Surfacing key metrics for the vendors that are most critical to your operational landscape  
  • Deploying incident management to direct teams’ responses to incidents 
  • Aggregating data in one place to easily export and share with regulators or other financial entities under the umbrella of DORA  

Fusion can help you plan and prepare for significant third-party incidents that may be looming on the horizon and enable you to still serve your customers. For more information, contact your Account Manager or check out Fusion’s recent webinar on technology and data resiliency.