New European Resilience Regime: The Race to Prepare for DORA
Introduction
The rapid digitalization of the financial sector has brought numerous benefits, but it has also exposed companies to increased technological risks such as cyberattacks, system outages, and failures in information and communication technologies (ICT). To strengthen the resilience of financial institutions (FIs) against these threats, the European Union has introduced the Digital Operational Resilience Act, known as DORA. As DORA’s enforcement date approaches, financial institutions and their ICT service providers must intensify their efforts to comply with this new regulation.
The Necessity of DORA
DORA aims to establish rigorous requirements to protect the critical business processes of financial institutions in Europe. It encompasses several essential aspects, including:
ICT Risk Management: Developing an internal ICT risk management framework, including a strategy, policies, and appropriate procedures.
ICT Incident Management and Reporting: Implementing robust processes to manage and report incidents and cyber threats.
Operational Resilience Testing: Adopting a risk-based approach for resilience testing, including physical tests, application tests, and threat-led penetration testing.
Third-Party Risk Management: Establishing a risk management framework for third-party ICT service providers.
Information Sharing: Facilitating the sharing of information and intelligence on cyber threats among financial institutions.
Progress and Challenges in Implementing DORA
According to a survey conducted by McKinsey, although most financial institutions have initiated the process of complying with DORA, many remain behind schedule. Several challenges persist, including:
Limited Clarity on the Scope of Requirements: Institutions struggle to precisely define critical functions and critical third-party ICT providers.
Uncertainty on Implementation Timeline: The finalization of regulatory technical standards (RTS) is expected by July 2024, making it difficult to plan and execute compliance programs.
Example of Successful Implementation
A major European financial institution recently completed a significant technological risk remediation program and quickly refocused its efforts to comply with DORA. By rethinking its DORA program with specific activity groups and reorganizing its governance, the institution successfully created a culture of technological risk management throughout the organization. This strategic, risk-based approach has positioned the institution favorably compared to its peers.
Financial Implications
Compliance with DORA represents a considerable investment for financial institutions. Estimates for the full implementation costs range between 5 and 15 million euros for strategy, planning, and program orchestration, with total costs reaching up to 100 million euros for large institutions.
Conclusion
With the January 2025 deadline approaching, European financial institutions must accelerate their efforts to comply with DORA. Success lies in a structured and holistic approach, integrating technological risk management as a crucial driver of business value. Institutions must prepare for this transition to ensure robust operational resilience and protect their critical processes against digital threats.