The Digital Operational Resilience Act (DORA) is a new European Union regulation designed to add oversight for information and communications technology (ICT) into existing operational resilience regulations. The DORA Act was published in November 2022, and full compliance is mandatory before January 17th, 2025.
DORA Impacts on US Companies
While DORA is an EU regulation, it impacts US organizations that offer financial services within the EU or provide third-party services to EU financial services companies. Additionally, EU regulations have historically influenced similar laws in the US, so the requirements laid out in DORA are expected to affect US regulatory guidance.
DORA’s focus is on operational resilience and specifically mandates technical resilience for digital technologies to better prepare for disruptions of critical business services in the financial services sector.
DORA’s requirements are defined in the following five service areas:
ICT Risk Management
This service area provides guidance and best practices for ICT risk management, including identifying, preventing, responding, and recovering from cyber threats. Additionally, this area discusses the importance of learning from incidents and properly communicating about them.
These recommendations are largely based on the NIST Risk Management Framework (RMF). Some of the key requirements include:
- Setting up and maintaining resilient ICT systems and tools designed to manage potential ICT risks and their impacts.
- Perform ongoing event monitoring for cyber and ICT to enable risk prevention or response.
- Develop and implement business continuity and disaster recovery (BC/DR) strategies for ICT-related incidents.
ICT-Related Incident Reporting
Reporting of security incidents to regulators and the public has long been a struggle and has emerged as a focus in several recent regulations. DORA implements new incident reporting requirements, including:
- Establishing processes to monitor, log, and classify ICT-related incidents.
- Reporting incidents to relevant regulators via a provided template and procedure.
- Publishing initial, intermediate, and final reports for ICT-related incidents to clients and users.
Digital Operational Resilience Testing
The DORA Act attempts to inspire EU financial services organizations to continually address evolving ICT risks. In addition to developing plans and programs, companies are also required to develop programs to identify and address new ICT risks to the organization. Key aspects of these requirements include:
- Performing periodic tests of ICT risk management frameworks.
- Mitigating or eliminating any identified deficiencies, weaknesses, or gaps.
- Scoping testing to the size, business, and risk profile of the business.
- Address higher levels of risk exposure via Threat-Led Penetration Testing (TLTP).
ICT Third-Party Risk
Third-party risk management is a core component of DORA’s ICT risk management. Some of the requirements that EU financial services organizations must ensure via contracts with service providers providing important or crucial functions include:
- Complete monitoring visibility of outsourced functions.
- Full service level agreement (SLA) description.
- Indications of where data is processed/stored.
- Implementation of Union Oversight Framework to promote converged visibility into ICT third-party risks.
Information Sharing
Information-sharing between organizations within an industry can enhance prevention, detection, and response to cyberattacks. DORA encourages sharing threat intelligence and cyber risk information and asks organizations to determine:
- What data is to be shared (balancing community support with regulatory requirements)
- How to efficiently share data
- How to consume shared data for maximum impact
Summary of DORA on US Organizations
The impact of DORA on organizations outside the EU depends on the role they play within the EU financial services industry. Organizations that provide financial services to EU financial organizations must demonstrate DORA compliance, on a risk-aligned basis, by January 17th, 2025.
Organizations affected by DORA will be required to demonstrate that they have adopted core operational resilience requirements, have included oversight for information communications technologies into their planning, testing, and recovery capabilities, and that their risk management, incident reporting, and governance policies and procedures are aligned with DORA requirements. Finally, for critical business service with third-party dependencies, they must demonstrate their third-party service provider contracts support provisions described in the DORA regulation.
How MorganFranklin Can Help
MorganFranklin can support your organization’s efforts to adopt operational resilience requirements and to plan, implement, and assess its new ICT risk management, incident management, and third-party provider requirements. Our team of experts can perform an assessment of possible regulatory impacts on your organization, review critical business services with third-party dependencies, or help you develop other strategies, solutions, or services to prepare your organization for DORA requirements.